Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fNlAH8RgLk.exe

Overview

General Information

Sample Name:fNlAH8RgLk.exe
Original Sample Name:9a90e115834ba8339bd0cc43c034ad55.exe
Analysis ID:1268859
MD5:9a90e115834ba8339bd0cc43c034ad55
SHA1:96109e6ba18aa69a359c90e1fe448e78ba6c1c57
SHA256:583d8351de707ac2b46a2fb9fd9ee31056ad7a83b9fea10df5f3e5e46f890b92
Tags:32exe
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Injects code into the Windows Explorer (explorer.exe)
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to enumerate running services
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Uses the system / local time for branch decision (may execute only at specific dates)
PE file contains executable resources (Code or Archives)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • fNlAH8RgLk.exe (PID: 5676 cmdline: C:\Users\user\Desktop\fNlAH8RgLk.exe MD5: 9A90E115834BA8339BD0CC43C034AD55)
    • irsetup.exe (PID: 7124 cmdline: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\user\Desktop\fNlAH8RgLk.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3853321935-2125563209-4053062332-1002 MD5: DEC931E86140139380EA0DF57CD132B6)
      • un.exe (PID: 4916 cmdline: "C:\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar ziliao.jpg C:\ProgramData\Microsoft\Program\ MD5: 5770866EDBB1A095D7EDC981F37D9D53)
        • conhost.exe (PID: 4932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • un.exe (PID: 5868 cmdline: "C:\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe iusb3mon.dat Media.xml C:\Microsoft\ MD5: 5770866EDBB1A095D7EDC981F37D9D53)
        • conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • iusb3mon.exe (PID: 664 cmdline: "C:\Microsoft\iusb3mon.exe" MD5: 1B9D1C5BDDAFF4DD75A470FA12E35E66)
        • WerFault.exe (PID: 5712 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 860 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • WerFault.exe (PID: 4700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 880 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • explorer.exe (PID: 3328 cmdline: "C:\Windows\System32\explorer.exe" C:\WPS_Setup MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • explorer.exe (PID: 5680 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: fNlAH8RgLk.exeReversingLabs: Detection: 34%
Source: fNlAH8RgLk.exeVirustotal: Detection: 16%Perma Link
Source: fNlAH8RgLk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: fNlAH8RgLk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000008.00000002.901761893.00007FFC1B351000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: d:\Projects\WinRAR\rar\build\unrar64\Release\UnRAR.pdb source: irsetup.exe, 00000001.00000003.378608534.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, un.exe, 00000002.00000000.384941709.00007FF64838B000.00000002.00000001.01000000.00000007.sdmp, un.exe, 00000002.00000002.386437532.00007FF64838B000.00000002.00000001.01000000.00000007.sdmp, un.exe, 00000004.00000000.387303508.00007FF64838B000.00000002.00000001.01000000.00000007.sdmp, un.exe, 00000004.00000002.388627427.00007FF64838B000.00000002.00000001.01000000.00000007.sdmp, un.exe.1.dr
Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000008.00000002.901761893.00007FFC1B351000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: C:\vmagent_new\bin\joblist\357500\out\Release\SMLProxy64.pdb source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, SMLProxy64.exe.1.dr
Source: Binary string: E:\build\APAssist\Release\WiFiHelper.pdb source: irsetup.exe, 00000001.00000003.381817644.0000000004DFB000.00000004.00000020.00020000.00000000.sdmp, WiFiHelper.exe.1.dr
Source: Binary string: .Pdb% source: fNlAH8RgLk.exe
Source: Binary string: e:\build\360SafeNotify\Release\360SafeNotify.pdb source: irsetup.exe, 00000001.00000003.382952851.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360SafeNotify.exe.1.dr
Source: Binary string: P:\intermoutput\S_capital\SetupArpX64_capital\Release\SetupArpX64.pdb source: irsetup.exe, 00000001.00000003.382434798.0000000004DFD000.00000004.00000020.00020000.00000000.sdmp, SetupArpX64.exe.1.dr
Source: Binary string: C:\vmagent_new\bin\joblist\594305\out\Release\360PayInsure.pdb source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.dr
Source: Binary string: eex.pdb source: explorer.exe, 00000008.00000002.901761893.00007FFC1B351000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: C:\vmagent_new\bin\joblist\144658\out\Release\360SCLog.pdb source: irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, 360sclog.exe.1.dr
Source: Binary string: C:\vmagent_new\bin\joblist\723346\out\Release\360RealPro.pdb source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.dr
Source: Binary string: C:\vmagent_new\bin\joblist\640834\out\Release\InstallTMDB.pdb source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr
Source: Binary string: C:\vmagent_new\bin\joblist\263304\out\Release\360netcfg.pdb source: irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, 360netcfg.exe.1.dr
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0044A06A __EH_prolog3_GS,FindFirstFileA,FindClose,1_2_0044A06A
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_004C2293 __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,_strcpy_s,1_2_004C2293
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0044A753 __EH_prolog3_GS,GetFullPathNameA,lstrcpyn,_strlen,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,1_2_0044A753
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0044A8A2 __EH_prolog3_GS,GetFileAttributesA,_strlen,FindFirstFileA,FindClose,1_2_0044A8A2
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_004860CD __EH_prolog3_GS,FindFirstFileA,IsWindow,InterlockedIncrement,FindNextFileA,FindClose,1_2_004860CD
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0044A1CC __EH_prolog3_GS,_strlen,FindFirstFileA,IsWindow,InterlockedIncrement,FindNextFileA,FindClose,FindFirstFileA,IsWindow,InterlockedIncrement,FindNextFileA,FindClose,1_2_0044A1CC
Source: C:\un.exeCode function: 2_2_00007FF648360D2C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,2_2_00007FF648360D2C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_004359A7 __EH_prolog3_GS,GetLogicalDriveStringsA,MessageBoxA,GetDriveTypeA,MessageBoxA,1_2_004359A7
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://bbs.360.cn/forum.php?mod=forumdisplay&fid=140&filter=typeid&typeid=105325
Source: irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, 360sclog.exe.1.drString found in binary or memory: http://bbs.360safe.com/forum-100-1.htmlk2
Source: 360PayInsure.exe.1.drString found in binary or memory: http://bbs.360safe.com/forum-990-1.html
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://bbs.360safe.com/thread-2181954-1-1.html
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://bbs.360safe.com/thread-6839592-1-1.htmlhttp://bbs.360safe.com/forum-100-1.htmlUtils
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: WPS_Setup_12980.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: WPS_Setup_12980.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, WPS_Setup_12980.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, WPS_Setup_12980.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: explorer.exe, 00000008.00000002.902172633.00007FFC1B439000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov
Source: explorer.exe, 00000008.00000002.902172633.00007FFC1B439000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro
Source: irsetup.exe, 00000001.00000003.378608534.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, un.exe.1.drString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360RealPro.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, 360netcfg.exe.1.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, un.exe, 00000004.00000003.388269611.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360netcfg.exe.1.dr, iusb3mon.exe.4.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: un.exe, 00000004.00000003.388269611.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe.4.drString found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: un.exe, 00000004.00000003.388269611.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe.4.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360RealPro.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: un.exe, 00000004.00000003.388269611.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe.4.drString found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, un.exe, 00000004.00000003.388269611.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360netcfg.exe.1.dr, iusb3mon.exe.4.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, 360netcfg.exe.1.drString found in binary or memory: http://crl.globalsign.net/root.crl0
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: WPS_Setup_12980.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: WPS_Setup_12980.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, WPS_Setup_12980.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: WPS_Setup_12980.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WPS_Setup_12980.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: irsetup.exe, 00000001.00000003.382952851.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360SafeNotify.exe.1.drString found in binary or memory: http://down.360safe.com/setup.exe
Source: irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, 360sclog.exe.1.drString found in binary or memory: http://down.360safe.com/setup.exeDllGetClassObjectCreateObjectInitLibsT
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://down.360safe.com/setup.exeIsBetaVersion360ver.dllGetChangeSkinManagerGetMiniUICompatibleGetSi
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://down.360safe.com/setup.exeSOFTWARE
Source: irsetup.exe, 00000001.00000003.381817644.0000000004DFB000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382952851.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.dr, 360SafeNotify.exe.1.dr, 360sclog.exe.1.dr, 360PayInsure.exe.1.dr, WiFiHelper.exe.1.drString found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe$
Source: irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, 360sclog.exe.1.drString found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe0
Source: irsetup.exe, 00000001.00000003.382952851.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, 360SafeNotify.exe.1.dr, 360sclog.exe.1.drString found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe360
Source: irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, 360sclog.exe.1.drString found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe8
Source: irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, 360sclog.exe.1.drString found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeX
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://es.f.360.cn/stats.phpChromePlusHTML
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://fuwu.360.cn/agreement.htmlOhttp://bbs.360.cn/forum.php?mod=forumdisplay&fid=140&filter=typeid
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://fuwu.360.cn/jubao/wangzhi?url=%s$http://xianpei.360.cn/introduce.html
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://fuwu.360.cn/lipei/baodan
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://hao.360.cn
Source: 360RealPro.exe.1.drString found in binary or memory: http://hao.360.cn/
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://hao.360.com
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://hao.360.com/
Source: fNlAH8RgLk.exe, un.exe.1.drString found in binary or memory: http://ocsp.comodoca.com0
Source: WPS_Setup_12980.exe.1.drString found in binary or memory: http://ocsp.digicert.com0
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, WPS_Setup_12980.exe.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.dr, WPS_Setup_12980.exe.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://ocsp.digicert.com0L
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://ocsp.digicert.com0N
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, WPS_Setup_12980.exe.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360RealPro.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: un.exe, 00000004.00000003.388269611.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe.4.drString found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.drString found in binary or memory: http://ocsp.thawte.com0
Source: un.exe, 00000004.00000003.388269611.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe.4.drString found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, un.exe, 00000004.00000003.388269611.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360netcfg.exe.1.dr, iusb3mon.exe.4.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, un.exe, 00000004.00000003.388269611.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.dr, iusb3mon.exe.4.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360RealPro.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://s.360.cn/safe/stat.html?stype=realpro&type=%s&pid=%s&m=%s&zt=%d
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://s.360.cn/wangdun/baoxian.html?stype=wd_bx&mi=
Source: WPS_Setup_12980.exe.1.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: WPS_Setup_12980.exe.1.drString found in binary or memory: http://s.symcd.com06
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.dr, 360netcfg.exe.1.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.dr, 360netcfg.exe.1.drString found in binary or memory: http://s2.symcb.com0
Source: irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, 360netcfg.exe.1.drString found in binary or memory: http://sdup.360.cn/v3/safeup_libex.cabsafeup_libex.ini360app360safe
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: un.exe, 00000004.00000003.388269611.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe.4.drString found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, 360netcfg.exe.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, un.exe, 00000004.00000003.388269611.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360netcfg.exe.1.dr, iusb3mon.exe.4.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360RealPro.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://service.weibo.com/share/share.php?title=&pic=Internet
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.drString found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, 360sclog.exe.1.dr, 360netcfg.exe.1.drString found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.dr, 360netcfg.exe.1.drString found in binary or memory: http://sf.symcb.com/sf.crt0
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.dr, 360netcfg.exe.1.drString found in binary or memory: http://sf.symcd.com0&
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, 360sclog.exe.1.dr, 360netcfg.exe.1.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.dr, 360netcfg.exe.1.drString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.dr, 360netcfg.exe.1.drString found in binary or memory: http://sv.symcd.com0&
Source: WPS_Setup_12980.exe.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: 360sclog.exe.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: WPS_Setup_12980.exe.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, 360sclog.exe.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: WPS_Setup_12980.exe.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, 360netcfg.exe.1.drString found in binary or memory: http://update.360safe.com/v3/safeup_ds.cabsafeup_ds.ini360dsapp360dsplus
Source: irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, 360netcfg.exe.1.drString found in binary or memory: http://update.360safe.com/v3/safeup_ds64.cabsafeup_ds64.inihttp://sdup.360.cn/v3/safeup_libex64.cabs
Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://www.110.360.cn/safevideo.html.http://bbs.360safe.com/thread-2508392-1-1.html$http://xianpei.3
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382434798.0000000004DFD000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381817644.0000000004E34000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382952851.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, SetupArpX64.exe.1.dr, InstallTMDB.exe.1.dr, 360SafeNotify.exe.1.dr, SMLProxy64.exe.1.dr, 360sclog.exe.1.dr, 360PayInsure.exe.1.dr, WiFiHelper.exe.1.dr, 360netcfg.exe.1.drString found in binary or memory: http://www.360.cn
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://www.360.cn/n/10575.htmldetailshttp://bbs.360safe.com/thread-5744696-1-1.htmlSOFTWARE
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://www.360.cn/safeBrainhttp://weishi.360.cn/top_security//panel=14001http://www.360.cn/n/11802.h
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://www.360.cnu
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.dr, WPS_Setup_12980.exe.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://www.hao.360.cn
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://www.hao.360.com
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://www.hao.360.comwww.hao.360.comhao.360.comhttp://hao.360.comhttp://hao.360.com/http://www.hao.
Source: fNlAH8RgLk.exeString found in binary or memory: http://www.indigorose.com
Source: iusb3mon.exe, 00000006.00000002.422338869.000000000050F000.00000040.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.indigorose.com/route.php?pid=suf60buy
Source: irsetup.exe, 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.indigorose.com/route.php?pid=suf9buy
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://www.so.com
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://www.so.com/
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://www.so.com/?src=wd_xp1http://hao.360.com/?wd_xp1https://hao.360.com/?wd_xp1360PayInsure.exepa
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: http://www.so.comhttp://www.so.com/www.haoso.com
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.dr, 360netcfg.exe.1.drString found in binary or memory: http://www.symauth.com/cps0(
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.dr, 360netcfg.exe.1.drString found in binary or memory: http://www.symauth.com/rpa00
Source: 360PayInsure.exe.1.drString found in binary or memory: http://www.winimage.com/zLibDll
Source: irsetup.exe, 00000001.00000003.392173768.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.392078511.0000000004D0C000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.376316871.0000000004DFA000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.392182528.0000000004D13000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.392266060.0000000004D14000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.392003893.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, irsetup.dat.1.drString found in binary or memory: http://www.yourcompany.com
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://xianpei.360.cn/
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://xianpei.360.cn/agreement.html3http://www.360.cn/privacy/v2/360anquanweishi.html#7
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://xianpei.360.cn/fanlesuo-protocal.htmlhttps://xianpei.360.cn/fanlesuo-protocal.html360
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://xianpei.360.cn/introduce.html
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://xianpei.360.cn/protocal-pop.htmlhttps://xianpei.360.cn/protocal-pop.html360Q
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: http://yx.360.cn/impression/%s&http://yx.360.cn/impression/%s?comment
Source: 360PayInsure.exe.1.drString found in binary or memory: https://bx.wd.360.cn/index.phpError
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.dr, WPS_Setup_12980.exe.1.dr, 360netcfg.exe.1.drString found in binary or memory: https://d.symcb.com/cps0%
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.dr, WPS_Setup_12980.exe.1.dr, 360netcfg.exe.1.drString found in binary or memory: https://d.symcb.com/rpa0
Source: WPS_Setup_12980.exe.1.drString found in binary or memory: https://d.symcb.com/rpa0.
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: https://hao.360.com
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: https://hao.360.com/?360safey1017?y1019?y1018?360safe
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: https://hao.360.comhao.360
Source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drString found in binary or memory: https://hao.360.comhttps://hao.360.cnhttps://www.hao123.comhttp://hao123.comhttp://www.hao123.comhao
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: https://pinst.360.cn/360se/wswgxp.cabhttps://pinst.360.cn/360chrome/360safe_shopping.cab
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: https://u.xianpei.360.cn/
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drString found in binary or memory: https://u.xianpei.360.cn/?tid=%s#%s
Source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr, 360PayInsure.exe.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: iusb3mon.exe.4.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, 360netcfg.exe.1.drString found in binary or memory: https://www.globalsign.com/repository/03
Source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, un.exe, 00000004.00000003.388269611.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360netcfg.exe.1.dr, iusb3mon.exe.4.drString found in binary or memory: https://www.globalsign.com/repository/06
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_00456018 _memset,_memset,GetTempPathA,GetTempFileNameA,SetFileAttributesA,DeleteFileA,_memset,_memset,_memset,_memset,_memset,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,_strncpy,GetProcAddress,GlobalFree,GlobalFree,GlobalFree,FreeLibrary,URLDownloadToFileA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_00456018
Source: fNlAH8RgLk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Microsoft\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 860
Source: C:\un.exeCode function: 2_2_00007FF64836EB28 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,2_2_00007FF64836EB28
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_005322311_2_00532231
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_005D04601_2_005D0460
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_005DA56E1_2_005DA56E
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_006445001_2_00644500
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0048C5871_2_0048C587
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_004C86611_2_004C8661
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0040E8661_2_0040E866
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0041C9D71_2_0041C9D7
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_00416BEB1_2_00416BEB
Source: C:\un.exeCode function: 2_2_00007FF6483529642_2_00007FF648352964
Source: C:\un.exeCode function: 2_2_00007FF6483599E42_2_00007FF6483599E4
Source: C:\un.exeCode function: 2_2_00007FF64835D3DC2_2_00007FF64835D3DC
Source: C:\un.exeCode function: 2_2_00007FF6483516102_2_00007FF648351610
Source: C:\un.exeCode function: 2_2_00007FF6483776982_2_00007FF648377698
Source: C:\un.exeCode function: 2_2_00007FF6483791282_2_00007FF648379128
Source: C:\un.exeCode function: 2_2_00007FF6483570B82_2_00007FF6483570B8
Source: C:\un.exeCode function: 2_2_00007FF64837419C2_2_00007FF64837419C
Source: C:\un.exeCode function: 2_2_00007FF6483619C02_2_00007FF6483619C0
Source: C:\un.exeCode function: 2_2_00007FF6483681D42_2_00007FF6483681D4
Source: C:\un.exeCode function: 2_2_00007FF6483671E02_2_00007FF6483671E0
Source: C:\un.exeCode function: 2_2_00007FF648351AA02_2_00007FF648351AA0
Source: C:\un.exeCode function: 2_2_00007FF64837EA502_2_00007FF64837EA50
Source: C:\un.exeCode function: 2_2_00007FF64837D2682_2_00007FF64837D268
Source: C:\un.exeCode function: 2_2_00007FF6483763002_2_00007FF648376300
Source: C:\un.exeCode function: 2_2_00007FF6483712E42_2_00007FF6483712E4
Source: C:\un.exeCode function: 2_2_00007FF64836A2E82_2_00007FF64836A2E8
Source: C:\un.exeCode function: 2_2_00007FF648383B802_2_00007FF648383B80
Source: C:\un.exeCode function: 2_2_00007FF64836B3942_2_00007FF64836B394
Source: C:\un.exeCode function: 2_2_00007FF648369B382_2_00007FF648369B38
Source: C:\un.exeCode function: 2_2_00007FF64835435C2_2_00007FF64835435C
Source: C:\un.exeCode function: 2_2_00007FF64836236C2_2_00007FF64836236C
Source: C:\un.exeCode function: 2_2_00007FF64837D3F82_2_00007FF64837D3F8
Source: C:\un.exeCode function: 2_2_00007FF648381C402_2_00007FF648381C40
Source: C:\un.exeCode function: 2_2_00007FF64835A45C2_2_00007FF64835A45C
Source: C:\un.exeCode function: 2_2_00007FF648374CC02_2_00007FF648374CC0
Source: C:\un.exeCode function: 2_2_00007FF64835BCC82_2_00007FF64835BCC8
Source: C:\un.exeCode function: 2_2_00007FF6483784D42_2_00007FF6483784D4
Source: C:\un.exeCode function: 2_2_00007FF6483794E42_2_00007FF6483794E4
Source: C:\un.exeCode function: 2_2_00007FF648372D9C2_2_00007FF648372D9C
Source: C:\un.exeCode function: 2_2_00007FF648376E142_2_00007FF648376E14
Source: C:\un.exeCode function: 2_2_00007FF64838860C2_2_00007FF64838860C
Source: C:\un.exeCode function: 2_2_00007FF64836DDC82_2_00007FF64836DDC8
Source: C:\un.exeCode function: 2_2_00007FF6483755E42_2_00007FF6483755E4
Source: C:\un.exeCode function: 2_2_00007FF64835A5E42_2_00007FF64835A5E4
Source: C:\un.exeCode function: 2_2_00007FF64835963C2_2_00007FF64835963C
Source: C:\un.exeCode function: 2_2_00007FF6483846442_2_00007FF648384644
Source: C:\un.exeCode function: 2_2_00007FF648369E482_2_00007FF648369E48
Source: C:\un.exeCode function: 2_2_00007FF648354EFC2_2_00007FF648354EFC
Source: C:\un.exeCode function: 2_2_00007FF648355F1C2_2_00007FF648355F1C
Source: C:\un.exeCode function: 2_2_00007FF64837B8902_2_00007FF64837B890
Source: C:\un.exeCode function: 2_2_00007FF6483640AC2_2_00007FF6483640AC
Source: C:\un.exeCode function: 2_2_00007FF6483811302_2_00007FF648381130
Source: C:\un.exeCode function: 2_2_00007FF6483718C42_2_00007FF6483718C4
Source: C:\un.exeCode function: 2_2_00007FF6483658E42_2_00007FF6483658E4
Source: C:\un.exeCode function: 2_2_00007FF6483858E82_2_00007FF6483858E8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: String function: 004019B2 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: String function: 005B5207 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: String function: 004132BB appears 62 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: String function: 00402391 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: String function: 00401BAB appears 915 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: String function: 005B4D20 appears 117 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: String function: 005B519E appears 465 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: String function: 004B3BA2 appears 109 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: String function: 0040C75B appears 63 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: String function: 004150D3 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: String function: 0040181F appears 92 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: String function: 0040258D appears 117 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_004D5333 NtdllDefWindowProc_A,1_2_004D5333
Source: C:\un.exeCode function: 2_2_00007FF64835BCC8: CreateFileW,CloseHandle,CreateDirectoryW,free,CreateFileW,free,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,free,2_2_00007FF64835BCC8
Source: WiFiHelper.exe.1.drStatic PE information: Resource name: RT_RCDATA type: COM executable for DOS
Source: 360PayInsure.exe.1.drStatic PE information: Resource name: RT_RCDATA type: COM executable for DOS
Source: fNlAH8RgLk.exe, 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesuf_launch.exeL vs fNlAH8RgLk.exe
Source: fNlAH8RgLk.exeBinary or memory string: OriginalFilenamesuf_launch.exeL vs fNlAH8RgLk.exe
Source: fNlAH8RgLk.exeBinary or memory string: OriginalFilenamesuf_rt.exeL vs fNlAH8RgLk.exe
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0044665D DeleteService,1_2_0044665D
Source: irsetup.exe.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.992034912109375
Source: fNlAH8RgLk.exeReversingLabs: Detection: 34%
Source: fNlAH8RgLk.exeVirustotal: Detection: 16%
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeFile read: C:\Users\user\Desktop\fNlAH8RgLk.exeJump to behavior
Source: fNlAH8RgLk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\fNlAH8RgLk.exe C:\Users\user\Desktop\fNlAH8RgLk.exe
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeProcess created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\user\Desktop\fNlAH8RgLk.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3853321935-2125563209-4053062332-1002
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\un.exe "C:\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar ziliao.jpg C:\ProgramData\Microsoft\Program\
Source: C:\un.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\un.exe "C:\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe iusb3mon.dat Media.xml C:\Microsoft\
Source: C:\un.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Microsoft\iusb3mon.exe "C:\Microsoft\iusb3mon.exe"
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" C:\WPS_Setup
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Microsoft\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 860
Source: C:\Microsoft\iusb3mon.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 880
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeProcess created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\user\Desktop\fNlAH8RgLk.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3853321935-2125563209-4053062332-1002Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\un.exe "C:\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar ziliao.jpg C:\ProgramData\Microsoft\Program\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\un.exe "C:\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe iusb3mon.dat Media.xml C:\Microsoft\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Microsoft\iusb3mon.exe "C:\Microsoft\iusb3mon.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" C:\WPS_SetupJump to behavior
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\un.exeCode function: 2_2_00007FF64836EB28 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,2_2_00007FF64836EB28
Source: C:\un.exeCode function: 2_2_00007FF64835B430 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,2_2_00007FF64835B430
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeFile created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0Jump to behavior
Source: classification engineClassification label: mal52.evad.winEXE@16/38@0/0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: CreateServiceA,1_2_0044658E
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeCode function: 0_2_00F4188B GetCurrentDirectoryA,GetTempPathA,lstrlenA,lstrlenA,lstrcpyA,lstrcpyA,lstrlenA,lstrcatA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,wsprintfA,wsprintfA,DeleteFileA,RemoveDirectoryA,GetFileAttributesA,CreateDirectoryA,CreateDirectoryA,lstrcpyA,SetCurrentDirectoryA,SetCurrentDirectoryA,lstrcpyA,CreateDirectoryA,SetCurrentDirectoryA,lstrcpyA,lstrlenA,lstrcatA,lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,GetDiskFreeSpaceA,lstrcpyA,SetCurrentDirectoryA,0_2_00F4188B
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_004247BD __EH_prolog3,SetFileAttributesA,DeleteFileA,CopyFileA,GetLastError,FormatMessageA,_strlen,_strlen,_strlen,LocalFree,1_2_004247BD
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0044668C StartServiceA,1_2_0044668C
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4932:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess664
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\Program Files (x86)\Your Product\Jump to behavior
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeCommand line argument: /~DBG0_2_00F41000
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile written: C:\ProgramData\data\rar.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\explorer.exeFile opened: C:\Windows\SYSTEM32\MsftEdit.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: fNlAH8RgLk.exeStatic file information: File size 7251838 > 1048576
Source: fNlAH8RgLk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000008.00000002.901761893.00007FFC1B351000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: d:\Projects\WinRAR\rar\build\unrar64\Release\UnRAR.pdb source: irsetup.exe, 00000001.00000003.378608534.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, un.exe, 00000002.00000000.384941709.00007FF64838B000.00000002.00000001.01000000.00000007.sdmp, un.exe, 00000002.00000002.386437532.00007FF64838B000.00000002.00000001.01000000.00000007.sdmp, un.exe, 00000004.00000000.387303508.00007FF64838B000.00000002.00000001.01000000.00000007.sdmp, un.exe, 00000004.00000002.388627427.00007FF64838B000.00000002.00000001.01000000.00000007.sdmp, un.exe.1.dr
Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000008.00000002.901761893.00007FFC1B351000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: C:\vmagent_new\bin\joblist\357500\out\Release\SMLProxy64.pdb source: irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, SMLProxy64.exe.1.dr
Source: Binary string: E:\build\APAssist\Release\WiFiHelper.pdb source: irsetup.exe, 00000001.00000003.381817644.0000000004DFB000.00000004.00000020.00020000.00000000.sdmp, WiFiHelper.exe.1.dr
Source: Binary string: .Pdb% source: fNlAH8RgLk.exe
Source: Binary string: e:\build\360SafeNotify\Release\360SafeNotify.pdb source: irsetup.exe, 00000001.00000003.382952851.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360SafeNotify.exe.1.dr
Source: Binary string: P:\intermoutput\S_capital\SetupArpX64_capital\Release\SetupArpX64.pdb source: irsetup.exe, 00000001.00000003.382434798.0000000004DFD000.00000004.00000020.00020000.00000000.sdmp, SetupArpX64.exe.1.dr
Source: Binary string: C:\vmagent_new\bin\joblist\594305\out\Release\360PayInsure.pdb source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.dr
Source: Binary string: eex.pdb source: explorer.exe, 00000008.00000002.901761893.00007FFC1B351000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: C:\vmagent_new\bin\joblist\144658\out\Release\360SCLog.pdb source: irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, 360sclog.exe.1.dr
Source: Binary string: C:\vmagent_new\bin\joblist\723346\out\Release\360RealPro.pdb source: irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.dr
Source: Binary string: C:\vmagent_new\bin\joblist\640834\out\Release\InstallTMDB.pdb source: irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, InstallTMDB.exe.1.dr
Source: Binary string: C:\vmagent_new\bin\joblist\263304\out\Release\360netcfg.pdb source: irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, 360netcfg.exe.1.dr
Source: fNlAH8RgLk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: fNlAH8RgLk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: fNlAH8RgLk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: fNlAH8RgLk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: fNlAH8RgLk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeCode function: 0_2_00F437E5 push ecx; ret 0_2_00F437F8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0045434C push 00000000h; ret 1_2_0045434E
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0045245B push 00000000h; ret 1_2_00452460
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0044CAC8 push 00000000h; ret 1_2_0044CACC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_00452B11 push 00000000h; ret 1_2_00452B15
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeCode function: 0_2_00F4563B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00F4563B
Source: irsetup.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x14ea30
Source: fNlAH8RgLk.exeStatic PE information: real checksum: 0x1b89e should be: 0x6ef066
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeFile created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\Program Files (x86)\Your Product\360sclog.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\Program Files (x86)\Your Product\360PayInsure.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\Program Files (x86)\Your Product\360netcfg.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\Program Files (x86)\Your Product\WiFiHelper.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\Program Files (x86)\Your Product\InstallTMDB.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\un.exeJump to dropped file
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeFile created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeJump to dropped file
Source: C:\un.exeFile created: C:\Microsoft\iusb3mon.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\Program Files (x86)\Your Product\360SafeNotify.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\Program Files (x86)\Your Product\360RealPro.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\Program Files (x86)\Your Product\SMLProxy64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\Program Files (x86)\Your Product\SetupArpX64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile created: C:\WPS_Setup\WPS_Setup_12980.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0044668C StartServiceA,1_2_0044668C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_00488925 __EH_prolog3_GS,GetClientRect,GetWindowRect,IsIconic,IsWindowVisible,IsWindow,IsWindow,IsWindow,InvalidateRect,1_2_00488925
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0044416C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0044416C
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\un.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\un.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Microsoft\iusb3mon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Microsoft\iusb3mon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Microsoft\iusb3mon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\un.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-3010
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: EnumServicesStatusA,EnumServicesStatusA,GetLastError,_malloc,EnumServicesStatusA,_free,SetLastError,1_2_004429AE
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Your Product\360sclog.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Your Product\360PayInsure.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Your Product\360netcfg.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Your Product\WiFiHelper.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Your Product\InstallTMDB.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Your Product\360SafeNotify.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Your Product\360RealPro.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Your Product\SMLProxy64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Your Product\SetupArpX64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeDropped PE file which has not been started: C:\WPS_Setup\WPS_Setup_12980.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_005D656A GetLocalTime followed by cmp: cmp word ptr [ebp-24h], bx and CTI: jnc 005D65B9h1_2_005D656A
Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 1067Jump to behavior
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-3888
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0044A06A __EH_prolog3_GS,FindFirstFileA,FindClose,1_2_0044A06A
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_004C2293 __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,_strcpy_s,1_2_004C2293
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0044A753 __EH_prolog3_GS,GetFullPathNameA,lstrcpyn,_strlen,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,1_2_0044A753
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0044A8A2 __EH_prolog3_GS,GetFileAttributesA,_strlen,FindFirstFileA,FindClose,1_2_0044A8A2
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_004860CD __EH_prolog3_GS,FindFirstFileA,IsWindow,InterlockedIncrement,FindNextFileA,FindClose,1_2_004860CD
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_0044A1CC __EH_prolog3_GS,_strlen,FindFirstFileA,IsWindow,InterlockedIncrement,FindNextFileA,FindClose,FindFirstFileA,IsWindow,InterlockedIncrement,FindNextFileA,FindClose,1_2_0044A1CC
Source: C:\un.exeCode function: 2_2_00007FF648360D2C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,2_2_00007FF648360D2C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_004359A7 __EH_prolog3_GS,GetLogicalDriveStringsA,MessageBoxA,GetDriveTypeA,MessageBoxA,1_2_004359A7
Source: C:\un.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: Amcache.hve.12.drBinary or memory string: VMware
Source: Amcache.hve.12.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.12.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.12.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.
Source: irsetup.exe, 00000001.00000003.391879736.00000000027E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmtoolsd.exe
Source: un.exe, 00000002.00000002.386260017.0000000000643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSI#CdRom&Ven_NECr&Prod_VMware_SATA_C
Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: irsetup.dat.1.drBinary or memory string: if(FindProcessByName("vmtoolsd.exe") or FindProcessByName("vm3dservice.exe")or FindProcessByName("iusb3mon.exe") or FindProcessByName("VGAuthService.exe"))then
Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.drBinary or memory string: VMware7,1
Source: Amcache.hve.12.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.me
Source: Amcache.hve.12.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.12.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: explorer.exe, 00000007.00000003.391520992.00000000008E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_H
Source: Amcache.hve.12.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: irsetup.exe, 00000001.00000003.391879736.00000000027E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmtoolsd.exe+E
Source: Amcache.hve.12.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeCode function: 0_2_00F42E14 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F42E14
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeCode function: 0_2_00F4563B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00F4563B
Source: C:\Microsoft\iusb3mon.exeProcess queried: DebugPortJump to behavior
Source: C:\Microsoft\iusb3mon.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeCode function: 0_2_00F42E14 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F42E14
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeCode function: 0_2_00F43FC8 SetUnhandledExceptionFilter,0_2_00F43FC8
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeCode function: 0_2_00F4239A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00F4239A
Source: C:\un.exeCode function: 2_2_00007FF64837C510 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF64837C510
Source: C:\un.exeCode function: 2_2_00007FF648380E70 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF648380E70
Source: C:\un.exeCode function: 2_2_00007FF6483867B4 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF6483867B4
Source: C:\un.exeCode function: 2_2_00007FF6483860A0 SetUnhandledExceptionFilter,2_2_00007FF6483860A0

HIPS / PFW / Operating System Protection Evasion

barindex
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeMemory written: PID: 3328 base: 370000 value: B8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeMemory written: PID: 3328 base: 5012D8 value: 00Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeMemory written: PID: 3328 base: 5021E8 value: 00Jump to behavior
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeProcess created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\user\Desktop\fNlAH8RgLk.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3853321935-2125563209-4053062332-1002Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Microsoft\iusb3mon.exe "C:\Microsoft\iusb3mon.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" C:\WPS_SetupJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_00458FC6 GetVersionExA,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,_malloc,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,CloseHandle,AllocateAndInitializeSid,_free,EqualSid,FreeSid,_free,1_2_00458FC6
Source: iusb3mon.exe, 00000006.00000002.422338869.000000000050F000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Shell_TrayWnd
Source: iusb3mon.exe, 00000006.00000002.422338869.000000000050F000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: N.?AVCMenu@@TrayClockWClassTrayNotifyWndShell_TrayWnd|
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drBinary or memory string: F\360payinsure\balloon.xmlShell_TrayWnd..\..\Config\newui\themes\default\360payinsure\datetip.xml360payinsure\image\balloonbk_l.png..\..\Config\newui\themes\default\360payinsure\datetip.xml360payinsure\image\balloonbk_r.png..\..\Config\newui\themes\default\360payinsure\datetip.xml360payinsure\image\balloonbk_t.png..\..\Config\newui\themes\default\360payinsure\datetip.xml360payinsure\image\balloonbk_b.png..\..\Config\newui\themes\default\360payinsure\datetip.xml360payinsure\image\balloonbk_n.pngTrayNotifyWndSysPagerToolbarWindow32ToolbarWindow32Q360PayInsureTrayWndQ360SafeMonClassQ360PayInsureTrayWndQ360SafeMonClass
Source: C:\un.exeCode function: GetLocaleInfoA,2_2_00007FF64838883C
Source: C:\un.exeCode function: 2_2_00007FF64836EBEC cpuid 2_2_00007FF64836EBEC
Source: C:\Users\user\Desktop\fNlAH8RgLk.exeCode function: 0_2_00F4478C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00F4478C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_005C6A74 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,1_2_005C6A74
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_00458FC6 GetVersionExA,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,_malloc,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,CloseHandle,AllocateAndInitializeSid,_free,EqualSid,FreeSid,_free,1_2_00458FC6
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeCode function: 1_2_00446AB7 GetUserNameA,1_2_00446AB7
Source: explorer.exe, 00000008.00000002.897978102.00000000012F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\192.168.2.1\all\procexp.exe
Source: irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drBinary or memory string: PathSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: irsetup.exe, 00000001.00000003.390902789.00000000027DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.391438208.00000000027DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.377794908.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.391694482.00000000027E1000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.391588195.00000000027DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.391166802.00000000027DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.377807216.00000000027DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: msmpeng.exe
Source: Amcache.hve.12.drBinary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.12.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: explorer.exe, 00000008.00000002.897978102.00000000012F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "c:\users\user\desktop\procexp.exe
Source: irsetup.exe, 00000001.00000003.390902789.00000000027DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.391438208.00000000027DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.377794908.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.391694482.00000000027E1000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.397759131.00000000027E2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.391588195.00000000027DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.391166802.00000000027DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.377807216.00000000027DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.391879736.00000000027E2000.00000004.00000020.00020000.00000000.sdmp, un.exe, 00000004.00000003.388269611.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 00000006.00000002.422943703.0000000002CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 360tray.exe
Source: Amcache.hve.12.drBinary or memory string: procexp.exe
Source: irsetup.exe, 00000001.00000003.390902789.00000000027DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.391438208.00000000027DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.377794908.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.391694482.00000000027E1000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.391588195.00000000027DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.391166802.00000000027DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.377807216.00000000027DE000.00000004.00000020.00020000.00000000.sdmp, un.exe, 00000004.00000003.388269611.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 00000006.00000002.422943703.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 00000006.00000002.422967355.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, Media.xml.4.drBinary or memory string: 360Tray.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts3
Native API		12
Windows Service		1
Access Token Manipulation		1
Deobfuscate/Decode Files or Information		OS Credential Dumping12
System Time Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Ingress Tool Transfer		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
System Shutdown/Reboot
Default Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts12
Windows Service		21
Obfuscated Files or Information		LSASS Memory1
Account Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Encrypted Channel		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts12
Service Execution		Logon Script (Windows)112
Process Injection		11
Software Packing		Security Account Manager1
System Service Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Masquerading		NTDS4
File and Directory Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Virtualization/Sandbox Evasion		LSA Secrets25
System Information Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Access Token Manipulation		Cached Domain Credentials31
Security Software Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items112
Process Injection		DCSync1
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
Process Discovery		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow11
Application Window Discovery		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
System Owner/User Discovery		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture1
Remote System Discovery		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1268859 Sample: fNlAH8RgLk.exe Startdate: 07/07/2023 Architecture: WINDOWS Score: 52 48 Multi AV Scanner detection for submitted file 2->48 8 fNlAH8RgLk.exe 4 2->8         started        11 explorer.exe 5 10 2->11         started        process3 file4 36 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 8->38 dropped 13 irsetup.exe 25 8->13         started        process5 file6 40 C:\un.exe, PE32+ 13->40 dropped 42 C:\WPS_Setup\WPS_Setup_12980.exe, PE32 13->42 dropped 44 C:\Program Files (x86)\...\WiFiHelper.exe, PE32 13->44 dropped 46 8 other files (none is malicious) 13->46 dropped 50 Injects code into the Windows Explorer (explorer.exe) 13->50 17 iusb3mon.exe 8 13->17         started        19 un.exe 5 13->19         started        22 un.exe 3 13->22         started        24 explorer.exe 13->24         started        signatures7 process8 file9 26 WerFault.exe 17->26         started        28 WerFault.exe 17->28         started        34 C:\Microsoft\iusb3mon.exe, PE32 19->34 dropped 30 conhost.exe 19->30         started        32 conhost.exe 22->32         started        process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
fNlAH8RgLk.exe34%ReversingLabsWin32.Backdoor.Farfli
fNlAH8RgLk.exe17%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Microsoft\iusb3mon.exe5%ReversingLabs
C:\Program Files (x86)\Your Product\360PayInsure.exe0%ReversingLabs
C:\Program Files (x86)\Your Product\360RealPro.exe0%ReversingLabs
C:\Program Files (x86)\Your Product\360SafeNotify.exe3%ReversingLabs
C:\Program Files (x86)\Your Product\360netcfg.exe2%ReversingLabs
C:\Program Files (x86)\Your Product\360sclog.exe0%ReversingLabs
C:\Program Files (x86)\Your Product\InstallTMDB.exe0%ReversingLabs
C:\Program Files (x86)\Your Product\SMLProxy64.exe0%ReversingLabs
C:\Program Files (x86)\Your Product\SetupArpX64.exe2%ReversingLabs
C:\Program Files (x86)\Your Product\WiFiHelper.exe2%ReversingLabs
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe4%ReversingLabs
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll0%ReversingLabs
C:\WPS_Setup\WPS_Setup_12980.exe4%ReversingLabs
C:\un.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro0%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov0%URL Reputationsafe
http://www.hao.360.comwww.hao.360.comhao.360.comhttp://hao.360.comhttp://hao.360.com/http://www.hao.0%Avira URL Cloudsafe
http://www.yourcompany.com0%Avira URL Cloudsafe
https://hao.360.comhttps://hao.360.cnhttps://www.hao123.comhttp://hao123.comhttp://www.hao123.comhao0%Avira URL Cloudsafe
http://www.360.cnu0%Avira URL Cloudsafe
https://hao.360.comhao.3600%Avira URL Cloudsafe
http://www.so.comhttp://www.so.com/www.haoso.com0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://down.360safe.com/setup.exeirsetup.exe, 00000001.00000003.382952851.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360SafeNotify.exe.1.drfalse
    		high
    http://hao.360.cnirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
      		high
      http://www.indigorose.com/route.php?pid=suf60buyiusb3mon.exe, 00000006.00000002.422338869.000000000050F000.00000040.00000001.01000000.00000008.sdmpfalse
        		high
        http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeirsetup.exe, 00000001.00000003.381817644.0000000004DFB000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382952851.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.dr, 360SafeNotify.exe.1.dr, 360sclog.exe.1.dr, 360PayInsure.exe.1.dr, WiFiHelper.exe.1.drfalse
          		high
          http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.groexplorer.exe, 00000008.00000002.902172633.00007FFC1B439000.00000002.00000001.01000000.00000010.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://hao.360.comirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
            		high
            http://www.yourcompany.comirsetup.exe, 00000001.00000003.392173768.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.392078511.0000000004D0C000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.376316871.0000000004DFA000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.392182528.0000000004D13000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.392266060.0000000004D14000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.392003893.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, irsetup.dat.1.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://yx.360.cn/impression/%s&http://yx.360.cn/impression/%s?commentirsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
              		high
              http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe0irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, 360sclog.exe.1.drfalse
                		high
                https://hao.360.comhttps://hao.360.cnhttps://www.hao123.comhttp://hao123.comhttp://www.hao123.comhaoirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://bbs.360safe.com/thread-6839592-1-1.htmlhttp://bbs.360safe.com/forum-100-1.htmlUtilsirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                  		high
                  http://www.360.cn/safeBrainhttp://weishi.360.cn/top_security//panel=14001http://www.360.cn/n/11802.hirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                    		high
                    http://www.hao.360.comwww.hao.360.comhao.360.comhttp://hao.360.comhttp://hao.360.com/http://www.hao.irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe8irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, 360sclog.exe.1.drfalse
                      		high
                      http://down.360safe.com/setup.exeDllGetClassObjectCreateObjectInitLibsTirsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, 360sclog.exe.1.drfalse
                        		high
                        http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe$irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                          		high
                          http://crl.thawte.com/ThawteTimestampingCA.crl0irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.drfalse
                            		high
                            http://update.360safe.com/v3/safeup_ds64.cabsafeup_ds64.inihttp://sdup.360.cn/v3/safeup_libex64.cabsirsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, 360netcfg.exe.1.drfalse
                              		high
                              http://down.360safe.com/setup.exeSOFTWAREirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                                		high
                                http://fuwu.360.cn/jubao/wangzhi?url=%s$http://xianpei.360.cn/introduce.htmlirsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                                  		high
                                  http://www.hao.360.comirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                                    		high
                                    https://u.xianpei.360.cn/irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                                      		high
                                      http://www.360.cn/n/10575.htmldetailshttp://bbs.360safe.com/thread-5744696-1-1.htmlSOFTWAREirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                                        		high
                                        http://www.360.cnuirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://xianpei.360.cn/irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                                          		high
                                          http://down.360safe.com/setup.exeIsBetaVersion360ver.dllGetChangeSkinManagerGetMiniUICompatibleGetSiirsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                                            		high
                                            http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe360irsetup.exe, 00000001.00000003.382952851.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, 360SafeNotify.exe.1.dr, 360sclog.exe.1.drfalse
                                              		high
                                              http://bbs.360safe.com/forum-990-1.html360PayInsure.exe.1.drfalse
                                                		high
                                                http://bbs.360safe.com/thread-2181954-1-1.htmlirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                                                  		high
                                                  http://s.360.cn/wangdun/baoxian.html?stype=wd_bx&mi=irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                                                    		high
                                                    https://bx.wd.360.cn/index.phpError360PayInsure.exe.1.drfalse
                                                      		high
                                                      https://hao.360.com/?360safey1017?y1019?y1018?360safeirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                                                        		high
                                                        http://s.360.cn/safe/stat.html?stype=realpro&type=%s&pid=%s&m=%s&zt=%dirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                                                          		high
                                                          http://hao.360.com/irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                                                            		high
                                                            http://fuwu.360.cn/lipei/baodanirsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                                                              		high
                                                              http://ocsp.thawte.com0irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://hao.360.comirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                                                                		high
                                                                http://xianpei.360.cn/agreement.html3http://www.360.cn/privacy/v2/360anquanweishi.html#7irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                                                                  		high
                                                                  http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groovexplorer.exe, 00000008.00000002.902172633.00007FFC1B439000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://bbs.360.cn/forum.php?mod=forumdisplay&fid=140&filter=typeid&typeid=105325irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                                                                    		high
                                                                    http://upx.sf.netAmcache.hve.12.drfalse
                                                                      		high
                                                                      http://www.indigorose.com/route.php?pid=suf9buyirsetup.exe, 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmpfalse
                                                                        		high
                                                                        http://xianpei.360.cn/protocal-pop.htmlhttps://xianpei.360.cn/protocal-pop.html360Qirsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                                                                          		high
                                                                          http://www.symauth.com/cps0(irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.dr, 360netcfg.exe.1.drfalse
                                                                            		high
                                                                            http://www.indigorose.comfNlAH8RgLk.exefalse
                                                                              		high
                                                                              https://u.xianpei.360.cn/?tid=%s#%sirsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                                                                                		high
                                                                                http://bbs.360safe.com/forum-100-1.htmlk2irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, 360sclog.exe.1.drfalse
                                                                                  		high
                                                                                  http://hao.360.cn/360RealPro.exe.1.drfalse
                                                                                    		high
                                                                                    http://xianpei.360.cn/introduce.htmlirsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                                                                                      		high
                                                                                      http://xianpei.360.cn/fanlesuo-protocal.htmlhttps://xianpei.360.cn/fanlesuo-protocal.html360irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                                                                                        		high
                                                                                        http://sdup.360.cn/v3/safeup_libex.cabsafeup_libex.ini360app360safeirsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, 360netcfg.exe.1.drfalse
                                                                                          		high
                                                                                          http://www.symauth.com/rpa00irsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, SMLProxy64.exe.1.dr, 360sclog.exe.1.dr, 360netcfg.exe.1.drfalse
                                                                                            		high
                                                                                            http://www.110.360.cn/safevideo.html.http://bbs.360safe.com/thread-2508392-1-1.html$http://xianpei.3irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                                                                                              		high
                                                                                              http://update.360safe.com/v3/safeup_ds.cabsafeup_ds.ini360dsapp360dsplusirsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, 360netcfg.exe.1.drfalse
                                                                                                		high
                                                                                                http://www.winimage.com/zLibDll360PayInsure.exe.1.drfalse
                                                                                                  		high
                                                                                                  http://service.weibo.com/share/share.php?title=&pic=Internetirsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                                                                                                    		high
                                                                                                    http://www.so.com/irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                                                                                                      		high
                                                                                                      http://fuwu.360.cn/agreement.htmlOhttp://bbs.360.cn/forum.php?mod=forumdisplay&fid=140&filter=typeidirsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, 360PayInsure.exe.1.drfalse
                                                                                                        		high
                                                                                                        http://es.f.360.cn/stats.phpChromePlusHTMLirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                                                                                                          		high
                                                                                                          http://www.360.cnirsetup.exe, 00000001.00000003.383272965.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382700532.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382434798.0000000004DFD000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382073159.0000000004DFF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000002.393621600.000000000016E000.00000004.00000010.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.381817644.0000000004E34000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.382952851.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000001.00000003.380505031.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, SetupArpX64.exe.1.dr, InstallTMDB.exe.1.dr, 360SafeNotify.exe.1.dr, SMLProxy64.exe.1.dr, 360sclog.exe.1.dr, 360PayInsure.exe.1.dr, WiFiHelper.exe.1.dr, 360netcfg.exe.1.drfalse
                                                                                                            		high
                                                                                                            http://www.hao.360.cnirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                                                                                                              		high
                                                                                                              http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeXirsetup.exe, 00000001.00000003.381419251.0000000004DF5000.00000004.00000020.00020000.00000000.sdmp, 360sclog.exe.1.drfalse
                                                                                                                		high
                                                                                                                https://hao.360.comhao.360irsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		low
                                                                                                                http://www.so.comirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                                                                                                                  		high
                                                                                                                  http://www.so.comhttp://www.so.com/www.haoso.comirsetup.exe, 00000001.00000003.381101423.0000000004DF9000.00000004.00000020.00020000.00000000.sdmp, 360RealPro.exe.1.drfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown

                                                                                                                  World Map of Contacted IPs

                                                                                                                  No contacted IP infos

                                                                                                                  General Information

                                                                                                                  Joe Sandbox Version:38.0.0 Beryl
                                                                                                                  Analysis ID:1268859
                                                                                                                  Start date and time:2023-07-07 06:04:08 +02:00
                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                  Overall analysis duration:0h 11m 32s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:full
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                  Number of analysed new started processes analysed:19
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:0
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • HDC enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Sample file name:fNlAH8RgLk.exe
                                                                                                                  Original Sample Name:9a90e115834ba8339bd0cc43c034ad55.exe
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal52.evad.winEXE@16/38@0/0
                                                                                                                  EGA Information:
                                                                                                                  • Successful, ratio: 100%
                                                                                                                  HDC Information:
                                                                                                                  • Successful, ratio: 99.9% (good quality ratio 90.4%)
                                                                                                                  • Quality average: 71%
                                                                                                                  • Quality standard deviation: 31.4%
                                                                                                                  HCA Information:
                                                                                                                  • Successful, ratio: 85%
                                                                                                                  • Number of executed functions: 177
                                                                                                                  • Number of non-executed functions: 189
                                                                                                                  Cookbook Comments:
                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                  • Override analysis time to 240s for rundll32

                                                                                                                  Warnings

                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, rundll32.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                                                                  • Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.42.65.92
                                                                                                                  • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com
                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                  Simulations

                                                                                                                  Behavior and APIs

                                                                                                                  TimeTypeDescription
                                                                                                                  06:05:23API Interceptor1x Sleep call for process: explorer.exe modified
                                                                                                                  06:05:29API Interceptor2x Sleep call for process: WerFault.exe modified

                                                                                                                  Joe Sandbox View / Context

                                                                                                                  IPs

                                                                                                                  No context

                                                                                                                  Domains

                                                                                                                  No context

                                                                                                                  ASNs

                                                                                                                  No context

                                                                                                                  JA3 Fingerprints

                                                                                                                  No context

                                                                                                                  Dropped Files

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  C:\Program Files (x86)\Your Product\360PayInsure.exe6#U6708#U5de5#U8d44#U53d1#U653e#U7ed3#U7b97.exeGet hashmaliciousUnknownBrowse
                                                                                                                    6#U6708#U5de5#U8d44#U53d1#U653e#U7ed3#U7b97.exeGet hashmaliciousUnknownBrowse
                                                                                                                      C:\Microsoft\iusb3mon.exe#U4e03#U6708#U5de5#U8d44#U63d0#U6210#U53d8#U52a8.exeGet hashmaliciousUnknownBrowse
                                                                                                                        6#U6708#U5de5#U8d44#U53d1#U653e#U7ed3#U7b97.exeGet hashmaliciousUnknownBrowse
                                                                                                                          6#U6708#U5de5#U8d44#U53d1#U653e#U7ed3#U7b97.exeGet hashmaliciousUnknownBrowse

                                                                                                                            Created / dropped Files

                                                                                                                            C:\Microsoft\Media.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\un.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):120832
                                                                                                                            Entropy (8bit):6.176735846098832
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:1536:epabhKNU9Y1cRdbq4K3lDEZ8LCtv86YGTYTyZXxYsWVxDcdSwZJd0b:A4Yiu4cEZxtv862TyhxU0SeJd0b
                                                                                                                            MD5:3C44FFEB6626913540CE8527FDD3BEE1
                                                                                                                            SHA1:2787A3086BEE20D6CC8A6D241F8F2AB839627B94
                                                                                                                            SHA-256:C8DCB9EB74ED66AB93620C0184011AF8E2619BFA94B46D60D5B3CB4EB9F7338E
                                                                                                                            SHA-512:68F5599A89FDB06F07A83145978FED84D63AC9BD149F12066B8A94F427C4F98AFEEB9CDDF08772086E9365C5332CDB56D9489C414179E53729F95136828ADADD
                                                                                                                            Malicious:false
                                                                                                                            Preview:-.P.....................@...............................................!..L.!This program cannot be run in DOS mode....$........#A..B/.B/.B/.),.B/.)*..B/.)+.B/.)).B/..:*.B/.)..B/.B...B/..8..B/..8*.B/..8+.B/..8,.B/..8&.B/..8..B/..8-.B/.Rich.B/.........PE..L......d...........!... ............IY....... ............................... ............@.............................................h.......................T...`...................................@............ ...............................text............................... ..`.rdata..~.... ......................@..@.data...............................@....rsrc...h...........................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Microsoft\iusb3mon.dat

                                                                                                                            Download File
                                                                                                                            Process:C:\un.exe
                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):135783
                                                                                                                            Entropy (8bit):7.997441297528924
                                                                                                                            Encrypted:true
                                                                                                                            SSDEEP:3072:5GxL38Fy8dTdQ+Zih7Tgpf0WOGWShYkI33xIsaO1zq0aF7I:medTu+wtTgpf0WxxhQ3BIswVI
                                                                                                                            MD5:4AE5E8BDD68861DF10F01FE268859588
                                                                                                                            SHA1:E4597CE8BB10E432689B300249915863321B6625
                                                                                                                            SHA-256:E650BFF476C2F77D87C26C2B20BEDB40FF1FBE43F20581BC1853C8DFD7B30046
                                                                                                                            SHA-512:B82EBC66288B7047D95C08A3477653520921FB3954B64623C7A3CB8F0E7F7E3CEE3C7BC25138151074CFD609A22956F93FD130C0AD472A3DB78BDA63FAF9E18C
                                                                                                                            Malicious:false
                                                                                                                            Preview:PK...........V\.+.h.........q._TUProj.datSD\........RT.cd`i.a``Pa... fd.3Y................NH]-+.x....!...,-..Q.....V.LI@........a.K...UT...o.:dq.:d.[9dr8I..r%a^......"V..V...M..^,U..N....7...s.^/.i...S...3J.....>*....09@.1b.KN.&W...K.LM...`..\...@KAj.#.1{...K.)BNO..f......n..}6...-...F....K..AJ"V.u...F{SU...}....... ...V..........V..1..XpW|.b.{ZA$....g......,P....d.....07IO..F....@.C....V....>*M,.=.+...R.[.[S...]..._...|.w..O.i.&.;3.H.mJ......x...r6...1..&dQ...^.._l....j?n.1.....j...6r).........3.t..<0.1...y..us.}..H..Yf_.,s..U......V:X..z@.u..1..a...vxSXpx...E..~....s......a.I..y.Y.2..>,..7~.M.D..U8.....!........k.'..I@...%.d...D.....+...J.i\....7...5E..`7.v......0.~\.:.d.t.cG....u....t..........VI.q. ....i.5.x\.d...fQ..3x.D.N..b.P...7{........O\.."...E..E......8......Q.Q.)...2.......Y...!~.C).....UP..7.......3..N...:...z.....\.zY/.}.8..Bg....Y/.....2.NQ....g8.E...X...d~.+..J(....+.,9.]...I%.@...:f...2.....Q.D....aW-h..c.N..,......{.E3

                                                                                                                            C:\Microsoft\iusb3mon.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\un.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):486832
                                                                                                                            Entropy (8bit):7.861787599828189
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12288:gNrhTLpMP+R+QDCfA832AtBYmz6af0F7Z1QVjSOsJ/:gthTiP+ffCfB5Lf0F7Z1EDsV
                                                                                                                            MD5:1B9D1C5BDDAFF4DD75A470FA12E35E66
                                                                                                                            SHA1:7078518F4236777D4E83217D53DDB9A82E7435D4
                                                                                                                            SHA-256:09FA13690D4BB135B40E8C5A8ABE1D0072955981DDC7D8361D1BC3A23E79255F
                                                                                                                            SHA-512:B8E2F8AA597D860EACAEE8C8BBB652EA5CDB0B14A6720B4C97481EC531FBDF2BA83B7F6E1D664447AE1C388C5E768BB972A6B8A9414151E2CC4374AAE3EA3194
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                            Joe Sandbox View:
                                                                                                                            • Filename: #U4e03#U6708#U5de5#U8d44#U63d0#U6210#U53d8#U52a8.exe, Detection: malicious, Browse
                                                                                                                            • Filename: 6#U6708#U5de5#U8d44#U53d1#U653e#U7ed3#U7b97.exe, Detection: malicious, Browse
                                                                                                                            • Filename: 6#U6708#U5de5#U8d44#U53d1#U653e#U7ed3#U7b97.exe, Detection: malicious, Browse
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a...%.s.%.s.%.s.s.`...s...}...s.q=C.?.s..>y.(.s.%.r.x.s.G.`.<.s..8y...s..8x...s.%.s...s...u.$.s.Rich%.s.........................PE..L......T............................._.......p....@.................................C,......................................`........p..`u...........P..............................................................................................UPX0....................................UPX1................................@....rsrc........p...z..................@..............................................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                                                                                                            C:\Program Files (x86)\Your Product\360PayInsure.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1235936
                                                                                                                            Entropy (8bit):6.438869107797385
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24576:BAGsm3KeRBHSYeHQn4+JTwoOQTVfgFq9i:h3h1ewn4qnTOB
                                                                                                                            MD5:5BB9A277E78E6D8AA2782BD4E20D94C4
                                                                                                                            SHA1:575CF58BD1308817A88E08D32AE71D6FB2969E5F
                                                                                                                            SHA-256:43285B56677A2494D39AF03388DE80D9885FDD3BA4511A6375B29C93BF4EAF2D
                                                                                                                            SHA-512:EB45CB32F8BB00D6BA2524F115D4B0A1547C4FB0B3D10C4DAEC003CA8B9CD0BCD3B24B11222402036438AC71DE45C899C6B95172E51D0A7EA21718AE9C296D71
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                            Joe Sandbox View:
                                                                                                                            • Filename: 6#U6708#U5de5#U8d44#U53d1#U653e#U7ed3#U7b97.exe, Detection: malicious, Browse
                                                                                                                            • Filename: 6#U6708#U5de5#U8d44#U53d1#U653e#U7ed3#U7b97.exe, Detection: malicious, Browse
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7b.+7..7.(7..7.77..7.>7f.7..97..7...7..7...7..7..7..7.97~.7..)7..7.,7..7Rich..7........................PE..L.....Aa..........................................@..................................8....@..................................=..T....0...=..............H?...p...{...................................................................................text...h........................... ..`.rdata..\L.......N..................@..@.data........`.......L..............@....rsrc....=...0...>..................@..@.reloc..(~...p......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Program Files (x86)\Your Product\360RealPro.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):605416
                                                                                                                            Entropy (8bit):6.601778426261702
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12288:8VohgnmJhL5+6qN3MRXHgkzJey/f+Pqq5uYz6waHxa3XAVt:82hlL5+6qN3MRXcy/rq5uYWwaHgkt
                                                                                                                            MD5:CAC540F209AC56408429D98457C8A640
                                                                                                                            SHA1:532BB1D7246B6E84ED6B8CC2503A789B82AC08A3
                                                                                                                            SHA-256:DC5B9288FB0BC95D7F2712488E13F174E75BFB1EBF884AD0290B6FF3096A014E
                                                                                                                            SHA-512:A4AC0ACAA4F7BA0F3692AD0132533808196335DE89F296064DA38CDDD22E8A588835E2998B7D96A7C16439DE055E0501D19BEFA5E99AA1A8FB4FECDDB7DB5016
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>../z.j|z.j|z.j|...|{.j|s..|`.j|s..|w.j|d..|..j|s..|.j|s..|Y.j|z.k|(.j|s..|..j|d..|{.j|s..|{.j|Richz.j|........................PE..L...u.5d.................v........................@.......................................@.................................H...........................P,... ..hU..p................................c..@............................................text...@t.......v.................. ..`.rdata...:.......:...z..............@..@.data............R..................@....rsrc...............................@..@.reloc...n... ...p..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Program Files (x86)\Your Product\360SafeNotify.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):257352
                                                                                                                            Entropy (8bit):6.825804480457841
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6144:6iFrTOKHRUeZ4KGBXciLjJO7j58AvvzYs34:3TOqRUFKGBXcihO79YK4
                                                                                                                            MD5:D66764206A7FD0C6C4CCF273EDD99A83
                                                                                                                            SHA1:63654FD7C510D9CC287FA5139229B04C3836C6CA
                                                                                                                            SHA-256:0FC6FF4F5F077BDD953258085AD70C7EC57A05035B3B9DDA5305457738EDE9EB
                                                                                                                            SHA-512:494049F81A60D1C8685602CEA910C58E9CD8B66D9F2DF8CFACB0CFBC2FAC53D99BE252D02D008408F2549BB484170EBD42FFABA81A4AA2DAC8CBE35BA885421F
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..w#..$#..$#..$..'$"..$*.$$6..$*.2$...$*.8$...$=.5$&..$.{.$"..$.{.$6..$#..$.$*.5$...$=.%$"..$*. $"..$Rich#..$................PE..L......S.....................................0....@..........................0......k)....@..................................|......................................`3..............................xi..@............0...............................text............................... ..`.rdata...\...0...^..................@..@.data...\W...........x..............@....rsrc...............................@..@.reloc...'.......(..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Program Files (x86)\Your Product\360netcfg.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):243272
                                                                                                                            Entropy (8bit):6.461994501621771
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3072:JY43hoAzCdvM8FuLxhsoFSZ3fnSp1W9H0cHnbqXq5a3Yz3nYKJH8UKrJN:JYSPGJMLvsmE3/o1W90cHbqX1kYR7L
                                                                                                                            MD5:7D47BD34F018D83A329ADB17D9238E16
                                                                                                                            SHA1:F32B34F0AD9F9DC7FA44C97B0C754CAB6A89A28D
                                                                                                                            SHA-256:EBC9553C516C87CE4C224B0D835044AA905F0B976FAA2487BD6AB473181D3C33
                                                                                                                            SHA-512:D9B13E2D8868455D41B0AF3FB0508410CC0502F8738CD854477A9EDF6AAF9AEC3C88CC8F1B18F3D86A933CF0F32BAF7B5545D2C05AAA8D01F54CE15E440B60D2
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NK...*...*...*...R;..*...R-.w*...R*.5*..-....*..-....*...*...*...R$.**...x:..*...R?..*..Rich.*..................PE..L....,.[.................J..........PH.......`....@.................................hD....@.................................L........P...R...........~...7....... ...c.................................@............`...............................text....I.......J.................. ..`.rdata...y...`...z...N..............@..@.data....j..........................@....rsrc....R...P...T..................@..@.reloc...0.......2...J..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Program Files (x86)\Your Product\360sclog.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):431016
                                                                                                                            Entropy (8bit):6.441099067344102
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12288:Qxb/HJKBpgeBtCxbGY6wvuE7VG0LYqFDk3BTXiXr0QBrLDGbnLcbcl:ab/8KLXLYquE0Q1Lcn+e
                                                                                                                            MD5:62A97409C90C0FE85EDA0085E8FCEFAB
                                                                                                                            SHA1:FD626547A837F2A721E7AFA872B694C4E42D30DE
                                                                                                                            SHA-256:350446B68668D3DEA1EB6E011677E4A407309110DBAA178C68C7092E81F1746A
                                                                                                                            SHA-512:20996553D8C00F11761C7360F385C2E9A772ED2248E403FEEDF254118512BDF43E1AF838171E7C69938F4850382A68BCC0390482A9A38B4DEDE542DD2D355893
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........rAO../.../.../.V\..../..k..../..k..../..A..../..k..q./..k..../......./..k..../..A..../..k..../.Rich../.........PE..L....'.X.............................b............@..................................B....@.................................$S..........8S...........^...5...p..h2..................................X...@...............L............................text............................... ..`.rdata..d...........................@..@.data.......p...f...X..............@....rsrc...8S.......T..................@..@.reloc...H...p...J..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Program Files (x86)\Your Product\InstallTMDB.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):250384
                                                                                                                            Entropy (8bit):6.4195361088846115
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3072:WsU3yKyNu7Q834o3C4D59eok4l6vTQC2mCd6IsLv2uQAswvLYaxMrpAS9Ty9Sqeh:+CKyN6Q8oB4D3eZ4lvIv2uO0Mrphhy9g
                                                                                                                            MD5:BAF0FB3509F070E797938DCDABC32966
                                                                                                                            SHA1:80CC2934358E37D8503AC8D1C1246137CB368CD3
                                                                                                                            SHA-256:45A05414DF646B7054171F268C9164619F9DD6006C93697361B9ECF4D23305AA
                                                                                                                            SHA-512:2199E8CEA0B37C2F07D3F3F408F2167351C9BC0AEAE2C46375D9AEBB65EE1DF098DA748497B556227EBC5D4A5802ECABF2C68600DA2BF2C1B73E93C3FC1BDCF3
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.<...o...o...oY.ro...oY.poo..oY.qo...o5|.n...o.`.n...o.`.n...oHa.n...oHa.n...o.`.n...o.p.o...o...o...oHa.n...oHa|o...o...o...oHa.n...oRich...o........PE..L.....Gb.....................~......K........ ....@..................................N....@.................................l...d.......(...............xC..............p..........................0...@............ ...............................text............................... ..`.rdata....... ......................@..@.data...4<..........................@....rsrc...(...........................@..@.reloc...............t..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Program Files (x86)\Your Product\SMLProxy64.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):259400
                                                                                                                            Entropy (8bit):6.226500572608065
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3072:qiG0+imy82Umtxr8dUaap/UUOY3VKcatIolfNUUVt4bRwGePhDuIzpbrxFQ:qiGQmt2UmPBRpYY3VKcatHfL8qjDuepo
                                                                                                                            MD5:94D785A33C5B9314492444AE9E7E676E
                                                                                                                            SHA1:056ABB46A6CCE6AF4E664DD106F1E7E7A1CCE545
                                                                                                                            SHA-256:7135378B4A4F126D357DB586EEF5FDE6F3E8126CE06FB62B2C4BCDBAF01BA3F1
                                                                                                                            SHA-512:02CC4EDB0279006851D59A3B6D4509A2A16343400C75FB9C97B797AD814A5D25A870AB516C1849E53246845E00AEAC28EAE6955966E04D2911E383E4BC56EE5D
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~.............?.............q}....q.....qk.........................Rich....................PE..d......].........."......&..........d..........@.............................0.......j....@.....................................................d....P..4....0..4........6... .. ....D...............................................@...............................text....%.......&.................. ..`.rdata..t~...@.......*..............@..@.data...pd.......$..................@....pdata..4....0......................@..@.rsrc...4....P......................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................................

                                                                                                                            C:\Program Files (x86)\Your Product\SetupArpX64.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):246088
                                                                                                                            Entropy (8bit):6.382970623199379
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6144:dXVfRILD5IJoY4auTKDtpVzz5gqwhqzie8:dXVfYD5MJDtpFzuzO
                                                                                                                            MD5:6CE7734F7C72F4B7E0CB8497D369957C
                                                                                                                            SHA1:ECB8A805FDBC8C1487531EEB99DD274CD8A0570F
                                                                                                                            SHA-256:050CF678A4CA90C88734851ECAB015BC96E8A49B7BA9C7F5EC751BC73B918B05
                                                                                                                            SHA-512:7D6941E82FB7FE7CE947F962D3D9DA4A96A6BC7014E346057CB7468AEDD78D6A5DE748E1A4432C0DC63D92F5AE3853214A4C08AAA8D45D4515D2F738219827A8
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........}...}...}...2...}.......}.......}.....}.....}...}...}.......}.../...}.......}..Rich.}..........................PE..d...`..S..........#............................@............................................................................................<b..x...............h(..................0................................................................................text............................... ..`.rdata..............................@..@.data...P:...p.......Z..............@....pdata..h(.......*...r..............@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Program Files (x86)\Your Product\WiFiHelper.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):240968
                                                                                                                            Entropy (8bit):6.880059969311975
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6144:m7eg3RXX7TCF/YYMLcmaktJcDt9yZWE1+:m7eAhTYgYMgktJcD5E
                                                                                                                            MD5:A8130BF291D60B2659EC297F79C03011
                                                                                                                            SHA1:409BBF20A2F0B0062760C094DAE86CCA5D38F567
                                                                                                                            SHA-256:C72E21ACE4E6369D5D223D375A8AA4C7EB9359F8F596383A9D23CFC19D057DC3
                                                                                                                            SHA-512:855B2EDDB42C79B0505B153CCB16BF9B39DB0B0ADF04B40A0B0C750377CE3BDE92FA00221660F25DCA2EEBB0ADFF30BC828EA032563E83A4B987FF39ABCECD02
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......xC&:<"Hi<"Hi<"Hi.m.i>"Hi5Z.i*"Hi5Z.i."Hi5Z.i."Hi..%i="Hi<"Ii."Hi..3i'"Hi5Z.i-"Hi5Z.i="Hi5Z.i="HiRich<"Hi........PE..L...(..S.....................t...............0....@.......................................@...................................................................$....3..............................0n..@............0..4............................text............................... ..`.rdata...i...0...j..................@..@.data....Q.......(..................@....rsrc..............................@..@.reloc..<+.......,...d..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\ProgramData\Microsoft\Program\ziliao.jpg

                                                                                                                            Download File
                                                                                                                            Process:C:\un.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):364544
                                                                                                                            Entropy (8bit):6.990414693256013
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6144:1bkvoQn9UIC3CZsJ8g0y4q0TplCVDbaube:pEvC3jdlGHWDbaube
                                                                                                                            MD5:06465757C8D17DCF452AC3F727501980
                                                                                                                            SHA1:701D2596B3224ADEE8B35A5A098B6F8583DB7302
                                                                                                                            SHA-256:09E7BCAD5164FD76BD952AE329D1456C62C3F4DFF951148F9C5C9DD6D38B1B20
                                                                                                                            SHA-512:C5282049F6F60E488C80AD1BBA0F4E67976B649B58F8283CFAD1F9514127986C80D5BA7A5665EAED40721CC3742F47BD4157786495473CB98E7279E45262AE8C
                                                                                                                            Malicious:false
                                                                                                                            Preview:-"h.....................8.................................................,..$PQK.HJOWJYM.[YNNOD.ZU.JEN.QN.4/+.MOTU.............v.z\..\..\....v.]......]......$..\.......t.3....._..R...O.....7..R......\.. ......(.....]..*Q[P\..........................(5..,....@T.................X..........e........H.........................................................................7...........................................................................................H...............................DU@D.... .......X.....................X.JTYDY...!...H...X...H..............8..8.TYDY............H..................8....JULO[...7.......(...8..............8..:................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_iusb3mon.exe_533583c58edbecc1aec14ce6b8049d85f78a438_16713590_16198171\Report.wer

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):65536
                                                                                                                            Entropy (8bit):0.956358376052647
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:c/V8sgQ5HBUZMXojLN67/u7sPS274It3F:S8sgQpBUZMXojg/u7sPX4It3
                                                                                                                            MD5:90658E574E6D4A5E99C7D4EAB95524FE
                                                                                                                            SHA1:1FC45EE43090C36E5F384CA2A4827A8D6AB90CC6
                                                                                                                            SHA-256:65EA45A84CDBC21CB283581441DD0A67627DA16571E3F21FE9C419363421C156
                                                                                                                            SHA-512:BF392EAA6EAC2CD5722D5484B1EDE7F7376091FA04DEF880A9D9ED749F81E685DB7F635F0F890A0849A32FB9C7FDA42A4C42C08CE06491F2439B2DA105E29702
                                                                                                                            Malicious:false
                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.3.2.0.8.7.2.1.1.2.2.9.3.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.3.2.0.8.7.2.1.8.7.2.9.3.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.2.d.2.4.d.4.0.-.2.0.5.e.-.4.d.e.2.-.b.d.5.8.-.e.e.f.0.5.e.0.b.d.f.3.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.c.3.6.7.d.c.-.1.0.e.6.-.4.a.c.3.-.9.8.d.a.-.d.8.6.d.e.8.0.7.e.f.5.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.i.u.s.b.3.m.o.n...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.t.u._.r.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.9.8.-.0.0.0.1.-.0.0.1.f.-.7.8.6.c.-.4.f.a.c.d.3.b.0.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.3.3.a.7.4.5.6.7.f.f.7.a.b.5.0.9.7.5.1.f.c.5.7.b.b.f.f.1.7.9.e.0.0.0.0.0.9.0.4.!.0.0.0.0.7.0.7.8.5.1.8.f.4.2.3.6.7.7.7.d.4.e.8.3.2.1.7.d.5.3.d.d.b.9.a.8.2.e.7.4.3.5.d.4.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_iusb3mon.exe_58bde84785da0ae59a52272d48be9bd59acbdaa_16713590_121588a5\Report.wer

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):65536
                                                                                                                            Entropy (8bit):0.9619109807187878
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:FyFQ6sgQfF9acot7RoSKpXIQcQac6LUkcEXcw3JH+HbHgoC5AJkq+Ok6GFYAKcEt:c7sgQ9H0ckdajLN67/u7sPS274ItKF
                                                                                                                            MD5:8733BE0FCC8AB3F186D10FC3E7AD5E86
                                                                                                                            SHA1:3C8AC95C56586066B33E228BFD5CEC4B1D926858
                                                                                                                            SHA-256:D69432317555D58C1B883D2C81268C8CF67E8792592DCB206EA8B62A1FB2A3CA
                                                                                                                            SHA-512:3D74263FC03980801FB342B27D2C145B11B45AD03C04EEADFE50F7AF0B1BB0026912C0FDA6BD10715ECF2E468FD9B3BFE5CFDFEEC7300A0DC5FE391A28DEE5B2
                                                                                                                            Malicious:false
                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.3.2.0.8.7.2.9.6.6.0.0.5.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.3.2.0.8.7.3.0.3.6.3.1.4.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.0.7.8.b.a.c.a.-.b.f.7.6.-.4.f.b.9.-.9.b.a.8.-.1.9.f.6.5.3.0.6.3.d.d.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.e.c.1.a.c.3.-.7.4.b.0.-.4.4.4.3.-.b.e.9.6.-.3.8.c.9.3.d.d.5.7.2.f.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.i.u.s.b.3.m.o.n...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.t.u._.r.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.9.8.-.0.0.0.1.-.0.0.1.f.-.7.8.6.c.-.4.f.a.c.d.3.b.0.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.3.3.a.7.4.5.6.7.f.f.7.a.b.5.0.9.7.5.1.f.c.5.7.b.b.f.f.1.7.9.e.0.0.0.0.0.9.0.4.!.0.0.0.0.7.0.7.8.5.1.8.f.4.2.3.6.7.7.7.d.4.e.8.3.2.1.7.d.5.3.d.d.b.9.a.8.2.e.7.4.3.5.d.4.!.i.u.s.b.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER6202.tmp.dmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Fri Jul 7 13:05:21 2023, 0x1205a4 type
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):63358
                                                                                                                            Entropy (8bit):2.1145871362197144
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:SfLxMqfOQAPOWLPBGjhdglCqZ6oX7nSnd4duGteG4f+iSYP5jnu1sYqL6NQCBhm8:+HfO5GWLBWgcqhCLRrRu1sYJa
                                                                                                                            MD5:87511AD3DA6F0C3EFB6205BB935F1F4E
                                                                                                                            SHA1:EDFBD8A0DA7394689380E75B18309B93EC4729C6
                                                                                                                            SHA-256:D5CA3FD4A1FAEA3C562E7A84A8DFB61C65CCBCDE56A778A116FEB57D7CEBC902
                                                                                                                            SHA-512:DD749DE8FCAFEA47E514DEAD4CE2E1A1B429A8E8D9AF360EB4B15C83299C159AA01B9FF7627EEB6FD7D9DB6749E8C03FE91EFB924BC95C12FEE6DB0E29DC18BA
                                                                                                                            Malicious:false
                                                                                                                            Preview:MDMP....... ..........d............$...............8.......$...T.......D...t9..........`.......8...........T........... "..^...........x...........d....................................................................U...........B..............GenuineIntelW...........T..............d.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER638A.tmp.WERInternalMetadata.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6306
                                                                                                                            Entropy (8bit):3.7247332242288618
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:Rrl7r3GLNinz6Ia8WY/SDCprY89bNNsf/Pm:RrlsNiz6Ia9Y/SmNGfW
                                                                                                                            MD5:C6CA035AE37744FDCC95C17228E9C9A9
                                                                                                                            SHA1:852FE896C9F90E5F4B12439FCA59BAD90CD223F2
                                                                                                                            SHA-256:49496885E724550542DCB73CBD8A9D4DFA1A1F796B277FAB02733F24C169019A
                                                                                                                            SHA-512:2105D915D2CDE0E9B72A9521FA8C220564F575A31A49093C6E67EDEB0CA76236096A76761B8534447FFAAA5B7836C18709A68EF4CF0BFFD91278B6295CCA12BF
                                                                                                                            Malicious:false
                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.<./.P.i.d.>.........

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER63BA.tmp.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):4657
                                                                                                                            Entropy (8bit):4.491109996239975
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:cvIwSD8zsUJgtWI9DzWgc8sqYjJ8fm8M4J3cR2ZF4A+q8+Unm7oBfg24d:uITfSECgrsqYCJMA0A8m7oFg24d
                                                                                                                            MD5:0ECF6E0D7EB84695226574BE454E2DD4
                                                                                                                            SHA1:BEC3FA4DC92CD38B9E28A1D3BD8E3ED53CD979FF
                                                                                                                            SHA-256:4856253097C55B4BEA8D1AA3099EF399B64DA5C055AE5EC2F917D5803EE89E7D
                                                                                                                            SHA-512:C84719633AA84282DDCAC6914BD641E6318D5B790483FF534517E5B31A0A6E9E164979B95A057F91E8BF9AE5F5857E0E884A7C3A46D02F984A019F88EC1DD653
                                                                                                                            Malicious:false
                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2118136" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER8356.tmp.dmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Fri Jul 7 13:05:29 2023, 0x1205a4 type
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):63262
                                                                                                                            Entropy (8bit):2.104030408291866
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:YHfOZlWLBdHJcadugDcqhENc4RNpiFMaz:lWLBrc+St9piL
                                                                                                                            MD5:4EC8353560862047FBCAF625279E9E26
                                                                                                                            SHA1:BB169F7E7D49E1F340E43AE901AC25424A0328C3
                                                                                                                            SHA-256:028C9AF98C95A704B0527FD813D6F0CB7D2D6F3834D93CF71BA7041D8EFC7A8A
                                                                                                                            SHA-512:A58A6B37779F249CEB0E40657E82AC121473EDCAF4FCD81B37EA39E312652D2752FB3CB61AD1D8C4D32F1A15D84B5193CE6077B0557C93DFCFB73797B7D4E377
                                                                                                                            Malicious:false
                                                                                                                            Preview:MDMP....... ..........d............$...............8.......$...T.......4...t9..........`.......8...........T............!..N...........x...........d....................................................................U...........B..............GenuineIntelW...........T..............d.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER847F.tmp.WERInternalMetadata.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6372
                                                                                                                            Entropy (8bit):3.722441683545459
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:Rrl7r3GLNinD6IaepYLSOBCpDT89b1NsfMHm:RrlsNiD6IaAYLSON1GfR
                                                                                                                            MD5:46B881E6A38C8BE446715CBE284854E5
                                                                                                                            SHA1:30A7EFF798CB05D7E6FD2CC0DA5EF46FC154648C
                                                                                                                            SHA-256:176169CB49E2ABA180B7F78A1F681EFEB1FE554E69B550985520D2D6030753BC
                                                                                                                            SHA-512:F6922F7B5AFBE167D6D45A444562A9DD7026B3082AF690DC29AE91A593D364950DB77250CCB153AC9EE656E88F52D08C30510E085770967BE10CA5B9402447A9
                                                                                                                            Malicious:false
                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.<./.P.i.d.>.........

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER84EE.tmp.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):4758
                                                                                                                            Entropy (8bit):4.476534035491151
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:cvIwSD8zsUJgtWI9DzWgc8sqYjc8fm8M4J3cRqFp+q8vocRcoBfg24d:uITfSECgrsqY1JMcKd6oFg24d
                                                                                                                            MD5:8834F4864B6ED1EF0DF1D32D983B1217
                                                                                                                            SHA1:36D6605347C86FB18760A25F2A9EC8E758B37DBA
                                                                                                                            SHA-256:119C60A680C0E84F33CD91CF90BE0CBEF5287BC1B96BD1EF69BA389EE0953A10
                                                                                                                            SHA-512:4A10A8C5AE4D236FE806A6E3A7E1B8D30F1038109E0DB50C99CD1233968B032E06CF94D8492CE7F1B1073EB53CB441B0D486BCBDDD68BD94E0DAA80D71255C6D
                                                                                                                            Malicious:false
                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2118136" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                                            C:\ProgramData\data\UPX.rar

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:RAR archive data, flags: EncryptedBlockHeader
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):865340
                                                                                                                            Entropy (8bit):7.999802123118812
                                                                                                                            Encrypted:true
                                                                                                                            SSDEEP:24576:BsIow/1fkkir0vAsXOKyKVTL8m9kqMilXbzT:t1MXrHUdygbMiJbzT
                                                                                                                            MD5:BCB4E84D2E5618A434924F9133EA2EB6
                                                                                                                            SHA1:C5CEC2B0654E044F7606B2AF9EABB543A95120D2
                                                                                                                            SHA-256:50FC373CC7D214B806BA21CE2BD21572D7C322F1C6E61C05416ECCBD6BE5C06C
                                                                                                                            SHA-512:8EAF0859DFA01E2871DC254C2CD0537F7DDD32D29177D5F6379CBABCE944E3DBD7DEC7C7BD58179BB193E09E9C88CD32662FDFA0DA1F8EC5E9909BF76AD5B264
                                                                                                                            Malicious:false
                                                                                                                            Preview:Rar!....s...........N../Lq./...W....k7..-..3.......7..H..;.n....;.......`wl.......9.e.O*...."n..w.-......y.#}..D...W...b..|..D#.J..y`............Z~X.+......z..xh..0E?..!.D...!...nmIK....YY..o...Wft...N........~....2...."<w.d<.v8..5.I......d....:s..H.u..../W}..m...w...[@V../d..........^..2L@...aB....}8.XHg..P..?-.e..V._.Xc.<..!o1*pO.$...e.......?.sN'F."T.....kv..>...`..l.qC.#d...9.|:..1P...........<...c]1..Y.%.)^I.<.a|....>%..84...F....#.U=.`.J...ma.wV..8.......q....\..7.rQ.82..D.B.kYU...S...'f......&=......@...>*.m.|..t....u.....8...G.L~..v.>..._.......>*.6@@.$5.....e.c.%e..I.b...U....F|+_.....9...$2.r\-,B.....P..p.a.....p...3.C..Khz...._.4.3.....$....>Pa...(._~w....LZ..n..p....oh]Y..g..C%.@1.r.O...T...F..0..!nq....s'..... .)..@........z..j...CQ......N...6..4.....cZ...L....B?...B.yk.'..(.N.l..\.iHChx.WC[d....T......g"T7.....!^.|X..Z.......1...x..EC....=.Iw`f+....T.....d-Q...2....D*..w.).......W)...y`.....:x...XYC..S.gC?]...m..z ...KP4..

                                                                                                                            C:\ProgramData\data\rar.ini

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):10
                                                                                                                            Entropy (8bit):2.921928094887362
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:oeJ:o8
                                                                                                                            MD5:51C11DB1054DD4650A33BF481EC27060
                                                                                                                            SHA1:17686B75163D8753BE27E407AAD97A76F311FC7B
                                                                                                                            SHA-256:FC835086345B170AC995C35F24546E1B7268E3D3524A125A9396A4EC8B7D3F35
                                                                                                                            SHA-512:94D5C2A0CB03B38657BAB246A695C6528FC5F7D3DDBE716641DD59EC83A67D6AB28C083000026D10114E7AB8F8225F7C90C9FCE25EF0611F46AA3899D096D80F
                                                                                                                            Malicious:false
                                                                                                                            Preview:C:\\un.exe

                                                                                                                            C:\Users\user\AppData\Local\Temp\Xshell 6 Update Log.txt

                                                                                                                            Download File
                                                                                                                            Process:C:\Microsoft\iusb3mon.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):328
                                                                                                                            Entropy (8bit):5.169362088069007
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6:qSKNUVSPRyttkjUVSWK16AbKiCmtUVSWKaiSUVSPsWmcNVFSUVSPLeSp7xAQGrBv:kNYcatkjYtW6BiftYtziSYcsnYcLdple
                                                                                                                            MD5:9C204F6E8D19FBE5A8561A65315136CC
                                                                                                                            SHA1:6537F99AC82F085763E815B36B9AE6739746986C
                                                                                                                            SHA-256:215B3CE8752E7073BEACF5D436B0E475AFDAC7DC870EB58BFCE0E229A90188C1
                                                                                                                            SHA-512:F0A76D6074F24C94BEAF18A8FA46BCD72876D89CCF836C132877A1458CC0D53A1D1170E1AB283A776D77235255A473F719CC1052C9034061FF80CF7B5A0F440B
                                                                                                                            Malicious:false
                                                                                                                            Preview:[07/07/2023 06:05:17] Success.Update started: C:\Microsoft\iusb3mon.exe..[07/07/2023 06:05:17] Notice.Update engine version: 3.8.0.0..[07/07/2023 06:05:17] Notice.Product: Xshell 6..[07/07/2023 06:05:17] Success.Language set: Primary = 9, Secondary = 1..[07/07/2023 06:05:17] Success.Include script: _TU20_Global_Functions.lua..

                                                                                                                            C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 497x63, components 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2362
                                                                                                                            Entropy (8bit):7.670995643119166
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:o9YMAuERADl78E1g3e2OHBTTxE4+NaEIT9paYvo6su:gh7EQVXgt+NYgTnw6X
                                                                                                                            MD5:3220A6AEFB4FC719CC8849F060859169
                                                                                                                            SHA1:85F624DEBCEFD45FDFDF559AC2510A7D1501B412
                                                                                                                            SHA-256:988CF422CBF400D41C48FBE491B425A827A1B70691F483679C1DF02FB9352765
                                                                                                                            SHA-512:5C45EA8F64B3CDFB262C642BD36B08C822427150D28977AF33C9021A6316B6EFED83F3172C16343FD703D351AF3966B06926E5B33630D51B723709712689881D
                                                                                                                            Malicious:false
                                                                                                                            Preview:......JFIF.....H.H.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......?...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...T.).*.{-.I.U..i.*.P.U....)..J..9..A*@.(Lu..k...5R.T......}..E&..$.O.P}..@>.}..L....,.....t......c...ar.Z\.....R...7 .....z......k.OS.Q.'....r..?...4.x...P.G*..y....L.........|....;z.a.4......SL...S.!.d+.3.....w..)..i.....{.......Hi....)._.~..q/..Ji..v@<.....ne......j..q..Q.C..}G.L".5I!]........._E..")..*..1.....SM...qj...j1.+...n..M:..C..j.H.....;...N..

                                                                                                                            C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS2 Windows, datetime=2008:07:08 14:20:15], baseline, precision 8, 166x312, components 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):29054
                                                                                                                            Entropy (8bit):5.195708227193176
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:wjV66AV66RU53DaYNg7y5fJ+dwd7L/dSivXHk4eo:wjs6As6R4aYyCfToi7R
                                                                                                                            MD5:AC40DED6736E08664F2D86A65C47EF60
                                                                                                                            SHA1:C352715BBF5AE6C93EEB30DF2C01B6F44FAEDAAA
                                                                                                                            SHA-256:F35985FE1E46A767BE7DCEA35F8614E1EDD60C523442E6C2C2397D1E23DBD3EA
                                                                                                                            SHA-512:2FBD1C6190743EA9EF86F4CB805508BD5FFE05579519AFAFB55535D27F04F73AA7C980875818778B1178F8B0F7C6F5615FBF250B78E528903950499BBE78AC32
                                                                                                                            Malicious:false
                                                                                                                            Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS2 Windows.2008:07:08 14:20:15........................................8...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................U.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...J....X.Z..l.i.........jl....p..........*..\\.I<...=..v.....(..A.%.P.'!."UI.I....z.u...wq..*..hc4kt.6R.7H.Z.[.#O..O

                                                                                                                            C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):140614
                                                                                                                            Entropy (8bit):5.953245138953227
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3072:7AW0HGl6b158j3GJhQcvQcREH3SgLb/go4d:708Lb4dd
                                                                                                                            MD5:9FE51FE6DC9B0DF64AEBA16164A29883
                                                                                                                            SHA1:A71E7F1FDF213305FBA39ADC51718AB69138E380
                                                                                                                            SHA-256:C1E7A11C4E7F65494E1F7D8B8083A371759A08E244BE93CEC3500F7E6D36CE9E
                                                                                                                            SHA-512:B8EB97D93A06E1629453AE5914243031C53D7F8CD35EC723716BEFD92FC94EBF28BBC1ADE08621069C2297027622BFEF2E0167A1D1A49B810259406C52DA5ACA
                                                                                                                            Malicious:false
                                                                                                                            Preview:........CGlobalIncludeLuaFile.........Constant Definitions..XMB_OK=0;..MB_OKCANCEL=1;..MB_ABORTRETRYIGNORE=2;..MB_YESNOCANCEL=3;..MB_YESNO=4;..MB_RETRYCANCEL=5;..MB_ICONNONE=0;..MB_ICONSTOP=16;..MB_ICONQUESTION=32;..MB_ICONEXCLAMATION=48;..MB_ICONINFORMATION=64;..MB_DEFBUTTON1=0;..MB_DEFBUTTON2=256;..MB_DEFBUTTON3=512;..IDOK=1;..IDCANCEL=2;..IDABORT=3;..IDIGNORE=5;..IDRETRY=4;..IDYES=6;..IDNO=7;..SW_HIDE=0;..SW_SHOWNORMAL=1;..SW_NORMAL=1;..SW_MAXIMIZE=3;..SW_MINIMIZE=6;..HKEY_CLASSES_ROOT=0;..HKEY_CURRENT_CONFIG=1;..HKEY_CURRENT_USER=2;..HKEY_LOCAL_MACHINE=3;..HKEY_USERS=4;..REG_NONE=0;..REG_SZ=1;..REG_EXPAND_SZ=2;..REG_BINARY=3;..REG_DWORD=4;..REG_DWORD_LITTLE_ENDIAN=4;..REG_DWORD_BIG_ENDIAN=5;..REG_LINK=6;..REG_MULTI_SZ=7;..REG_RESOURCE_LIST=8;..REG_FULL_RESOURCE_DESCRIPTOR=9;..REG_RESOURCE_REQUIREMENTS_LIST=10;..DLL_CALL_CDECL=0;..DLL_CALL_STDCALL=1;..DLL_RETURN_TYPE_INTEGER=0;..DLL_RETURN_TYPE_LONG=1;..DLL_RETURN_TYPE_STRING=2;..SUBMITWEB_POST=0;..SUBMITWEB_GET=1;..ACCESS_READ=1310

                                                                                                                            C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\fNlAH8RgLk.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1344512
                                                                                                                            Entropy (8bit):7.921180289353584
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24576:8FYGY9+9d/G7P9lkQ/exnzGn4dLsUvqkaT+0BpCCh+PDed:TN26FOnzGn6LJvqkwnpC+m
                                                                                                                            MD5:DEC931E86140139380EA0DF57CD132B6
                                                                                                                            SHA1:B717FD548382064189C16CB94DDA28B1967A5712
                                                                                                                            SHA-256:5FFD4B20DCCFB84C8890ABDB780184A7651E760AEFBA4AB0C6FBA5B2A81F97D9
                                                                                                                            SHA-512:14D594E88C4A1F0EC8BC1B4FE2D66E26358F907B1106C047ADA35D500CA9E608F1CE5A57599453CF10F11F4D9F1948CED9056CE8BD944B16ECA7E9B83E8B27AF
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wC.33".`3".`3".`\T.`B".`:Z/`2".`.l3`2".`:Z(`#".`(.5`.".`\T.`.".`...`1".`:Z8`.".`3".`.!.`(..`.".`(..`O .`(.1`2".`(.6`2".`Rich3".`........PE..L...+..O......................... (..-<..0(..0<...@...........................<...........@.................................D.<......0<.Dz....................................................................................3.@...................UPX0..... (.............................UPX1.........0(.....................@....rsrc........0<.....................@......................................................................................................................................................................................................................................................................................................................................................................3.05.UPX!....

                                                                                                                            C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\fNlAH8RgLk.exe
                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):325960
                                                                                                                            Entropy (8bit):6.876135679379316
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6144:ukn2LG5bwf92+0HiDhAqUS0aMkvAvBtAOj+JzOghK:r2x2cdUhZuIBt8xc
                                                                                                                            MD5:B5FC476C1BF08D5161346CC7DD4CB0BA
                                                                                                                            SHA1:280FAC9CF711D93C95F6B80AC97D89CF5853C096
                                                                                                                            SHA-256:12CB9B8F59C00EF40EA8F28BFC59A29F12DC28332BF44B1A5D8D6A8823365650
                                                                                                                            SHA-512:17FA97F399287B941E958D2D42FE6ADB62700B01D9DBE0C824604E8E06D903B330F9D7D8FFB109BFB7F6742F46E7E9CEDAD6981F0D94D629B8402D0A0174F697
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)..H...H...H......H...H...H...0 ..H...01..H...0'.GH...06..H...05..H..Rich.H..................PE..L....O`L...........!.....|..........X........................................0.......o..........................................(.......................H........!.................................. ...@...............x............................text....z.......|.................. ..`.rdata...'.......(..................@..@.data...$5..........................@....reloc..r&.......(..................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG1.JPG

                                                                                                                            Download File
                                                                                                                            Process:C:\Microsoft\iusb3mon.exe
                                                                                                                            File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 111x63, components 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6887
                                                                                                                            Entropy (8bit):7.912044261903433
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:EqK9OIJV7hREPQEOPdivlu54UovmNqg0aB0kOI:EJIIJVcPQEOEvMJoON/0aBwI
                                                                                                                            MD5:E39405E85E09F64CCDE0F59392317DD3
                                                                                                                            SHA1:9C76DB4B3D8C7972E7995ECFB1E3C47EE94FD14B
                                                                                                                            SHA-256:CFD9677E1C0E10B1507F520C4ECD40F68DB78154C0D4E6563403D540F3BF829F
                                                                                                                            SHA-512:6733F330145B48D23C023C664090F4F240E9BBEB8368B486C8EE8682EC6A930B73275E24075648D1AA7E01DB1EC7B7E259286917A006BA9AF8FB7CBA3439070A
                                                                                                                            Malicious:false
                                                                                                                            Preview:......JFIF.....d.d......Ducky.......d......Adobe.d.................................................................................................................................................?.o........................................................................................u........!.."..1.A2#..QB.a$3.Rq..b.%C...&4r....5'.S6..DTsEF7Gc(UVW......d.t..e.....)8f.u*9:HIJXYZghijvwxyz.......................................................................m.....!..1..".AQ.2a.q.B.#..R.b.3..$..Cr...4%.S.cD.&5.T6Ed'.s..Ft....UeuV7........)...............(GWf8v........gw........HXhx........9IYiy........*:JZjz....................?...-`....f..#........Y.<....7.2.b......OE....]D/..?N9..mo...<.a...C..}.X....~.."pUd....#.6'......%yKl../J.z....c.4.36.....W..D.~a.VicU..... .aa.......8m{\f0.T}.B..."..$...WKe.eh&..j................RMc....|...?.D0.}...K|.........H2..j.k.$.........9....;%.hE.G.@.Qo...x.......~..&)*i.....[.9..-k..m...].j.$>...W..u.M.kS#.q.......H.=.G.=D..T.i.<...

                                                                                                                            C:\Users\user\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPG

                                                                                                                            Download File
                                                                                                                            Process:C:\Microsoft\iusb3mon.exe
                                                                                                                            File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 166x312, components 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):37625
                                                                                                                            Entropy (8bit):7.931009836595926
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:768:S0jPDrkTYU5n10PIUcLbnkC59fNaeocQXiWN6hhm4gj0mVWQySgA1:RvqYe0PINLkC5Haeoik6HMHWQySgg
                                                                                                                            MD5:F6BF82A293B69AA5B47D4E2DE305D45A
                                                                                                                            SHA1:4948716616D4BBE68BE2B4C5BF95350402D3F96F
                                                                                                                            SHA-256:6A9368CDD7B3FF9B590E206C3536569BC45C338966D0059784959F73FE6281E0
                                                                                                                            SHA-512:EDF0F3EE60A620CF886184C1014F38D0505AAC9E3703D61D7074CFB27D6922F80E570D1A3891593606A09F1296A88C8770445761C11C390A99A5341EE56478AA
                                                                                                                            Malicious:false
                                                                                                                            Preview:......JFIF.....d.d......Ducky.......d......Adobe.d.................................................................................................................................................8..........................................................................................u........!.."..1.A2#..QB.a$3.Rq..b.%C...&4r....5'.S6..DTsEF7Gc(UVW......d.t..e.....)8f.u*9:HIJXYZghijvwxyz.......................................................................m.....!..1..".AQ.2a.q.B.#..R.b.3..$..Cr...4%.S.cD.&5.T6Ed'.s..Ft....UeuV7........)...............(GWf8v........gw........HXhx........9IYiy........*:JZjz....................?..&.T..t.q.....i...G.....=b......j4.Kq.A$...$.?..,.u.".?...W........._...7C^....60Z.#.?O.o...m......0V+........2...T...........c.l4eK.w[.h..}$.Qbx...{.(.(..}.G7...M....\...J-...r}....G..._b.~L........... 5V&.o...W......]W.O....A..z~K.(UPt.<.8p.......:....$...8.X._...}.wNG .....o9.ko.z.4R0..E.....#.y'.=..BX...g....C;nk...].......Q}8.-.$

                                                                                                                            C:\Users\user\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

                                                                                                                            Download File
                                                                                                                            Process:C:\Microsoft\iusb3mon.exe
                                                                                                                            File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 111x63, components 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6887
                                                                                                                            Entropy (8bit):7.912044261903433
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:EqK9OIJV7hREPQEOPdivlu54UovmNqg0aB0kOI:EJIIJVcPQEOEvMJoON/0aBwI
                                                                                                                            MD5:E39405E85E09F64CCDE0F59392317DD3
                                                                                                                            SHA1:9C76DB4B3D8C7972E7995ECFB1E3C47EE94FD14B
                                                                                                                            SHA-256:CFD9677E1C0E10B1507F520C4ECD40F68DB78154C0D4E6563403D540F3BF829F
                                                                                                                            SHA-512:6733F330145B48D23C023C664090F4F240E9BBEB8368B486C8EE8682EC6A930B73275E24075648D1AA7E01DB1EC7B7E259286917A006BA9AF8FB7CBA3439070A
                                                                                                                            Malicious:false
                                                                                                                            Preview:......JFIF.....d.d......Ducky.......d......Adobe.d.................................................................................................................................................?.o........................................................................................u........!.."..1.A2#..QB.a$3.Rq..b.%C...&4r....5'.S6..DTsEF7Gc(UVW......d.t..e.....)8f.u*9:HIJXYZghijvwxyz.......................................................................m.....!..1..".AQ.2a.q.B.#..R.b.3..$..Cr...4%.S.cD.&5.T6Ed'.s..Ft....UeuV7........)...............(GWf8v........gw........HXhx........9IYiy........*:JZjz....................?...-`....f..#........Y.<....7.2.b......OE....]D/..?N9..mo...<.a...C..}.X....~.."pUd....#.6'......%yKl../J.z....c.4.36.....W..D.~a.VicU..... .aa.......8m{\f0.T}.B..."..$...WKe.eh&..j................RMc....|...?.D0.}...K|.........H2..j.k.$.........9....;%.hE.G.@.Qo...x.......~..&)*i.....[.9..-k..m...].j.$>...W..u.M.kS#.q.......H.=.G.=D..T.i.<...

                                                                                                                            C:\Users\user\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

                                                                                                                            Download File
                                                                                                                            Process:C:\Microsoft\iusb3mon.exe
                                                                                                                            File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 166x312, components 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):37625
                                                                                                                            Entropy (8bit):7.931009836595926
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:768:S0jPDrkTYU5n10PIUcLbnkC59fNaeocQXiWN6hhm4gj0mVWQySgA1:RvqYe0PINLkC5Haeoik6HMHWQySgg
                                                                                                                            MD5:F6BF82A293B69AA5B47D4E2DE305D45A
                                                                                                                            SHA1:4948716616D4BBE68BE2B4C5BF95350402D3F96F
                                                                                                                            SHA-256:6A9368CDD7B3FF9B590E206C3536569BC45C338966D0059784959F73FE6281E0
                                                                                                                            SHA-512:EDF0F3EE60A620CF886184C1014F38D0505AAC9E3703D61D7074CFB27D6922F80E570D1A3891593606A09F1296A88C8770445761C11C390A99A5341EE56478AA
                                                                                                                            Malicious:false
                                                                                                                            Preview:......JFIF.....d.d......Ducky.......d......Adobe.d.................................................................................................................................................8..........................................................................................u........!.."..1.A2#..QB.a$3.Rq..b.%C...&4r....5'.S6..DTsEF7Gc(UVW......d.t..e.....)8f.u*9:HIJXYZghijvwxyz.......................................................................m.....!..1..".AQ.2a.q.B.#..R.b.3..$..Cr...4%.S.cD.&5.T6Ed'.s..Ft....UeuV7........)...............(GWf8v........gw........HXhx........9IYiy........*:JZjz....................?..&.T..t.q.....i...G.....=b......j4.Kq.A$...$.?..,.u.".?...W........._...7C^....60Z.#.?O.o...m......0V+........2...T...........c.l4eK.w[.h..}$.Qbx...{.(.(..}.G7...M....\...J-...r}....G..._b.~L........... 5V&.o...W......]W.O....A..z~K.(UPt.<.8p.......:....$...8.X._...}.wNG .....o9.ko.z.4R0..E.....#.y'.=..BX...g....C;nk...].......Q}8.-.$

                                                                                                                            C:\Users\user\AppData\Local\Temp\_ir_tu2_temp_0\_TUProjDT.dat

                                                                                                                            Download File
                                                                                                                            Process:C:\Microsoft\iusb3mon.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5
                                                                                                                            Entropy (8bit):0.0
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:FQFn:En
                                                                                                                            MD5:C5FE25896E49DDFE996DB7508CF00534
                                                                                                                            SHA1:69DF79BEF9287D3BCB8F104A408B06DE6A108FD8
                                                                                                                            SHA-256:C507A68F3093E885765257ED3F176C757AAF62BB4CBC2EF94B2E7DA3406D9676
                                                                                                                            SHA-512:40D306DF4FBFFCE56C38CE96948D6BAC43F8F0EB91A7918E0BB6EBB31E1F6D9FDF9DE33C31F9BC0D79CF9453040B78AB6D24F4893CEF2B4187FFB504635EA906
                                                                                                                            Malicious:false
                                                                                                                            Preview:55555

                                                                                                                            C:\WPS_Setup\WPS_Setup_12980.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):3027728
                                                                                                                            Entropy (8bit):7.856503406318228
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:49152:sejRVM654Suz/Debm7vpElDBc4uN+C+LHseGi1pm2PfLwUA0EUEiXDSWqf16yag5:sejRVMDhe6yH1ugfHseGKtPDw50E1iTe
                                                                                                                            MD5:B52BA2B99108C496389AE5BB81FA6537
                                                                                                                            SHA1:9073D8C4A1968BE24357862015519F2AFECD833A
                                                                                                                            SHA-256:C6AC7D9ADD40B913112B265D4F366D9EF80BBD711049DB085FC750FCAD4E14D8
                                                                                                                            SHA-512:6637506EE80D359E729E0011B97E8D827E14356393193247F502B7FCFBBCA249DC045B8ACFE4B31CE462468F421DC5D9A4E31183BEDB66C45A9AA43C01F81397
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......q...5...5...5...n.......n........a/.<......&....../...n...4...n...4..........n.......n...6...5... ...........5...V...............4...5...7.......4...Rich5...........PE..L.....dc..................*.......,..ZW...,..`W...@..........................0Z......s....@.................................T-Z......`W.T.............-..H....Z..............................\W......\W.....................$PD.@...................UPX0......,.............................UPX1......*...,...*.................@....rsrc........`W.......*.............@......................................................................................................................................................................................................................................................................................................................................3.08.UPX!....

                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1572864
                                                                                                                            Entropy (8bit):4.291565252958104
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12288:T8KISB/hKAYMD9fgmyvS9USy3Vw+ElZZodxtcaFlRv0saODpXnWyBOF:1ISB/hKAYMD9fgGim
                                                                                                                            MD5:54B77B8D2CF2440F532D2C0844709827
                                                                                                                            SHA1:DDB8B33F3275A12E78617D16587D972D17B76965
                                                                                                                            SHA-256:920185F8FED1AAA5472B673F9098B560F5338FA66418350B13F54427C92174EF
                                                                                                                            SHA-512:191123930543084471ACC3CD4D96FF92801D3E52A1E450E899FE30D75991F0411DDCDF0C8F87813869ABD105AA0ABD344152120868D8C93235952EEF52BF758D
                                                                                                                            Malicious:false
                                                                                                                            Preview:regfj...j...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..$.................................................................................................................................................................................................................................................................................................................................................N-.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):36864
                                                                                                                            Entropy (8bit):3.943220010495871
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:768:77ObRftx1tJ4JyGFAJVXqSH5GbfNaIE3gMqCLHvUqBpIGEPkqQQSC9gGMYAvcu:0tT29dM23+
                                                                                                                            MD5:32F8B1201C9DAA6C98A31F01CCB5CEF5
                                                                                                                            SHA1:3AB3D00B7BA8D4F1278CB1F41E7ED202F9D1C43A
                                                                                                                            SHA-256:3638EA4DEDB2134BAD3ACF95BA2EC52F16C5D5343CEF52663402ADF678B67D98
                                                                                                                            SHA-512:DDF0611BD6B2884C1B17013A939661A8DBAA71A8A848BA16B35E5127BADF43B3254833E1EF2A32416C502E9DD094BDBD530922F1A010C05460E0DE5D54785F0E
                                                                                                                            Malicious:false
                                                                                                                            Preview:regfi...i...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..$.................................................................................................................................................................................................................................................................................................................................................N-.HvLE........i.............g......4.GW].V.........0...........0.......0..hbin................p.\..,..........nk,...$........h........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...$........ ........................... .......Z.......................Root........lf......Root....nk ...$.....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

                                                                                                                            C:\un.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):330704
                                                                                                                            Entropy (8bit):6.260364870918901
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6144:trgQe2V7oSbhJN9sivnjPaAqvBIqGdI0W6yfcmuLHRFr6QaMpQqMlKNU+:trgWJPvjPJELkWAF+QM+
                                                                                                                            MD5:5770866EDBB1A095D7EDC981F37D9D53
                                                                                                                            SHA1:E067A008A709459A1732E0AB06DE277501BE076F
                                                                                                                            SHA-256:E4E8AC5179F1DFF784E64C0299A9C39917352A06806EBBA2DE15F8D129275367
                                                                                                                            SHA-512:B88C6817EF6D4301D0A99866C884627FBEAF20AEE65CBD3AC519CB1E8880147710CDB19E853B2BD8B712A31EFC57040C189D198EF361C4C2E11F377C42DEAED4
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-..yi..*i..*i..*...*h..*`..*...*`..*e..*`..*`..*i..*..*`..*...*`..*h..*`..*h..*Richi..*........PE..d...X.}T.........."..........T......8..........@....................................\.....@.................................................t(..d........L......|)...........p..P....................................................................................text............................... ..`.rdata..............................@..@.data....u...@......................@....pdata..|).......*...L..............@..@.rsrc....y.......z...v..............@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Entropy (8bit):7.979862270635502
                                                                                                                            TrID:
                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.70%
                                                                                                                            • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                            File name:fNlAH8RgLk.exe
                                                                                                                            File size:7'251'838 bytes
                                                                                                                            MD5:9a90e115834ba8339bd0cc43c034ad55
                                                                                                                            SHA1:96109e6ba18aa69a359c90e1fe448e78ba6c1c57
                                                                                                                            SHA256:583d8351de707ac2b46a2fb9fd9ee31056ad7a83b9fea10df5f3e5e46f890b92
                                                                                                                            SHA512:3bb859e350fb7d9c937a92c23f11778d82e6639cdadd59b96363ecd136fd1434389319bc739c1281e24e2c89bd16c4a4d113ccee7e1de0e5314ea900d3528b06
                                                                                                                            SSDEEP:196608:DI3F6n80W6uG2UVznZHBMlHVgvnmBir+5qO:oFREHVTrMl16mB/QO
                                                                                                                            TLSH:CE763302F7D1C471D8AA00B48066DAF24A757E3153B9D9FB7BD0693A9E316D0DA32B07
                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\.........PE..L...J..O.................X.........

                                                                                                                            File Icon

                                                                                                                            Icon Hash:2f232d67b7934633

                                                                                                                            Static PE Info

                                                                                                                            General

                                                                                                                            Entrypoint:0x4029e1
                                                                                                                            Entrypoint Section:.text
                                                                                                                            Digitally signed:false
                                                                                                                            Imagebase:0x400000
                                                                                                                            Subsystem:windows gui
                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                            Time Stamp:0x4FDA0E4A [Thu Jun 14 16:16:10 2012 UTC]
                                                                                                                            TLS Callbacks:
                                                                                                                            CLR (.Net) Version:
                                                                                                                            OS Version Major:5
                                                                                                                            OS Version Minor:1
                                                                                                                            File Version Major:5
                                                                                                                            File Version Minor:1
                                                                                                                            Subsystem Version Major:5
                                                                                                                            Subsystem Version Minor:1
                                                                                                                            Import Hash:1ff847646487d56f85778df99ff3728a

                                                                                                                            Entrypoint Preview

                                                                                                                            Instruction
                                                                                                                            call 00007FB20CE7BB0Bh
                                                                                                                            jmp 00007FB20CE79BEEh
                                                                                                                            mov edi, edi
                                                                                                                            push esi
                                                                                                                            push edi
                                                                                                                            xor esi, esi
                                                                                                                            mov edi, 0040ABC8h
                                                                                                                            cmp dword ptr [0040A054h+esi*8], 01h
                                                                                                                            jne 00007FB20CE79D7Fh
                                                                                                                            lea eax, dword ptr [0040A050h+esi*8]
                                                                                                                            mov dword ptr [eax], edi
                                                                                                                            push 00000FA0h
                                                                                                                            push dword ptr [eax]
                                                                                                                            add edi, 18h
                                                                                                                            call dword ptr [004070C0h]
                                                                                                                            test eax, eax
                                                                                                                            je 00007FB20CE79D6Eh
                                                                                                                            inc esi
                                                                                                                            cmp esi, 24h
                                                                                                                            jl 00007FB20CE79D35h
                                                                                                                            xor eax, eax
                                                                                                                            inc eax
                                                                                                                            pop edi
                                                                                                                            pop esi
                                                                                                                            ret
                                                                                                                            and dword ptr [0040A050h+esi*8], 00000000h
                                                                                                                            xor eax, eax
                                                                                                                            jmp 00007FB20CE79D53h
                                                                                                                            mov edi, edi
                                                                                                                            push ebx
                                                                                                                            mov ebx, dword ptr [004070C4h]
                                                                                                                            push esi
                                                                                                                            mov esi, 0040A050h
                                                                                                                            push edi
                                                                                                                            mov edi, dword ptr [esi]
                                                                                                                            test edi, edi
                                                                                                                            je 00007FB20CE79D75h
                                                                                                                            cmp dword ptr [esi+04h], 01h
                                                                                                                            je 00007FB20CE79D6Fh
                                                                                                                            push edi
                                                                                                                            call ebx
                                                                                                                            push edi
                                                                                                                            call 00007FB20CE79A7Dh
                                                                                                                            and dword ptr [esi], 00000000h
                                                                                                                            pop ecx
                                                                                                                            add esi, 08h
                                                                                                                            cmp esi, 0040A170h
                                                                                                                            jl 00007FB20CE79D3Eh
                                                                                                                            mov esi, 0040A050h
                                                                                                                            pop edi
                                                                                                                            mov eax, dword ptr [esi]
                                                                                                                            test eax, eax
                                                                                                                            je 00007FB20CE79D6Bh
                                                                                                                            cmp dword ptr [esi+04h], 01h
                                                                                                                            jne 00007FB20CE79D65h
                                                                                                                            push eax
                                                                                                                            call ebx
                                                                                                                            add esi, 08h
                                                                                                                            cmp esi, 0040A170h
                                                                                                                            jl 00007FB20CE79D48h
                                                                                                                            pop esi
                                                                                                                            pop ebx
                                                                                                                            ret
                                                                                                                            mov edi, edi
                                                                                                                            push ebp
                                                                                                                            mov ebp, esp
                                                                                                                            mov eax, dword ptr [ebp+08h]
                                                                                                                            push dword ptr [0040A050h+eax*8]
                                                                                                                            call dword ptr [004070C8h]
                                                                                                                            pop ebp
                                                                                                                            ret
                                                                                                                            push 0000000Ch
                                                                                                                            push 004094D0h

                                                                                                                            Rich Headers

                                                                                                                            Programming Language:
                                                                                                                            • [ASM] VS2010 SP1 build 40219
                                                                                                                            • [ C ] VS2010 SP1 build 40219
                                                                                                                            • [IMP] VS2008 SP1 build 30729
                                                                                                                            • [C++] VS2010 SP1 build 40219
                                                                                                                            • [RES] VS2010 SP1 build 40219
                                                                                                                            • [LNK] VS2010 SP1 build 40219

                                                                                                                            Data Directories

                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x963c0x64.rdata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x6da4.rsrc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x130000x7c8.reloc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x93900x40.rdata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x70000x178.rdata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                            Sections

                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                            .text0x10000x57180x5800False0.6103959517045454data6.459452000665297IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                            .rdata0x70000x2e820x3000False0.3490397135416667data4.975333962704712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            .data0xa0000x19680xc00False0.23014322916666666data2.586625009588695IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .rsrc0xc0000x6da40x6e00False0.47095170454545454data5.661983139328753IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            .reloc0x130000x10920x1200False0.3784722222222222data3.7122019142927596IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                            Resources

                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                            RT_ICON0xc2b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192, 16 important colorsEnglishUnited States0.6317567567567568
                                                                                                                            RT_ICON0xc3d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colorsEnglishUnited States0.5823699421965318
                                                                                                                            RT_ICON0xc9400x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640, 16 important colorsEnglishUnited States0.5120967741935484
                                                                                                                            RT_ICON0xcc280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.5455776173285198
                                                                                                                            RT_ICON0xd4d00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1536EnglishUnited States0.36341463414634145
                                                                                                                            RT_ICON0xdb380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688EnglishUnited States0.42350746268656714
                                                                                                                            RT_ICON0xe9e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.4097560975609756
                                                                                                                            RT_ICON0xf0480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6391257995735607
                                                                                                                            RT_ICON0xfef00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5276970954356847
                                                                                                                            RT_GROUP_ICON0x124980x5adataEnglishUnited States0.7444444444444445
                                                                                                                            RT_VERSION0x124f40x3e0dataEnglishUnited States0.42943548387096775
                                                                                                                            RT_MANIFEST0x128d40x4d0XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4772727272727273

                                                                                                                            Imports

                                                                                                                            DLLImport
                                                                                                                            KERNEL32.dll_lclose, GetModuleFileNameA, _lread, _llseek, _lopen, _lwrite, _lcreat, CreateDirectoryA, SetCurrentDirectoryA, lstrcatA, FreeLibrary, GetProcAddress, LoadLibraryA, GetDiskFreeSpaceA, GetFileAttributesA, RemoveDirectoryA, DeleteFileA, lstrlenA, GetCurrentDirectoryA, CloseHandle, GetExitCodeProcess, GetLastError, LocalFree, GetCurrentProcess, MoveFileExA, Sleep, GetStringTypeW, MultiByteToWideChar, LCMapStringW, HeapReAlloc, RtlUnwind, HeapSize, lstrcpyA, GetTempPathA, CompareStringA, IsValidCodePage, GetOEMCP, GetModuleHandleW, ExitProcess, DecodePointer, HeapFree, HeapAlloc, GetCommandLineA, HeapSetInformation, GetStartupInfoW, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, EncodePointer, LoadLibraryW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, WriteFile, GetStdHandle, GetModuleFileNameW, IsProcessorFeaturePresent, HeapCreate, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP
                                                                                                                            USER32.dllTranslateMessage, DispatchMessageA, PeekMessageA, wsprintfA, LoadCursorA, SetCursor, MessageBoxA, MsgWaitForMultipleObjects
                                                                                                                            ADVAPI32.dllGetTokenInformation, OpenProcessToken
                                                                                                                            SHELL32.dllShellExecuteExA

                                                                                                                            Possible Origin

                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                            EnglishUnited States

                                                                                                                            Network Behavior

                                                                                                                            No network behavior found

                                                                                                                            Statistics

                                                                                                                            CPU Usage

                                                                                                                            Click to jump to process

                                                                                                                            Memory Usage

                                                                                                                            Click to jump to process

                                                                                                                            High Level Behavior Distribution

                                                                                                                            Click to dive into process behavior distribution

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            General

                                                                                                                            Target ID:0
                                                                                                                            Start time:06:05:08
                                                                                                                            Start date:07/07/2023
                                                                                                                            Path:C:\Users\user\Desktop\fNlAH8RgLk.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Users\user\Desktop\fNlAH8RgLk.exe
                                                                                                                            Imagebase:0xf40000
                                                                                                                            File size:7'251'838 bytes
                                                                                                                            MD5 hash:9A90E115834BA8339BD0CC43C034AD55
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:low

                                                                                                                            General

                                                                                                                            Target ID:1
                                                                                                                            Start time:06:05:09
                                                                                                                            Start date:07/07/2023
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\user\Desktop\fNlAH8RgLk.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3853321935-2125563209-4053062332-1002
                                                                                                                            Imagebase:0x400000
                                                                                                                            File size:1'344'512 bytes
                                                                                                                            MD5 hash:DEC931E86140139380EA0DF57CD132B6
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 4%, ReversingLabs
                                                                                                                            Reputation:moderate

                                                                                                                            General

                                                                                                                            Target ID:2
                                                                                                                            Start time:06:05:13
                                                                                                                            Start date:07/07/2023
                                                                                                                            Path:C:\un.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:"C:\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar ziliao.jpg C:\ProgramData\Microsoft\Program\
                                                                                                                            Imagebase:0x7ff648350000
                                                                                                                            File size:330'704 bytes
                                                                                                                            MD5 hash:5770866EDBB1A095D7EDC981F37D9D53
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                            Reputation:low

                                                                                                                            General

                                                                                                                            Target ID:3
                                                                                                                            Start time:06:05:13
                                                                                                                            Start date:07/07/2023
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff745070000
                                                                                                                            File size:625'664 bytes
                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high

                                                                                                                            General

                                                                                                                            Target ID:4
                                                                                                                            Start time:06:05:14
                                                                                                                            Start date:07/07/2023
                                                                                                                            Path:C:\un.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:"C:\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe iusb3mon.dat Media.xml C:\Microsoft\
                                                                                                                            Imagebase:0x7ff648350000
                                                                                                                            File size:330'704 bytes
                                                                                                                            MD5 hash:5770866EDBB1A095D7EDC981F37D9D53
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:low

                                                                                                                            General

                                                                                                                            Target ID:5
                                                                                                                            Start time:06:05:14
                                                                                                                            Start date:07/07/2023
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff745070000
                                                                                                                            File size:625'664 bytes
                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high

                                                                                                                            General

                                                                                                                            Target ID:6
                                                                                                                            Start time:06:05:15
                                                                                                                            Start date:07/07/2023
                                                                                                                            Path:C:\Microsoft\iusb3mon.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Microsoft\iusb3mon.exe"
                                                                                                                            Imagebase:0x400000
                                                                                                                            File size:486'832 bytes
                                                                                                                            MD5 hash:1B9D1C5BDDAFF4DD75A470FA12E35E66
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 5%, ReversingLabs
                                                                                                                            Reputation:low

                                                                                                                            General

                                                                                                                            Target ID:7
                                                                                                                            Start time:06:05:16
                                                                                                                            Start date:07/07/2023
                                                                                                                            Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\explorer.exe" C:\WPS_Setup
                                                                                                                            Imagebase:0xcf0000
                                                                                                                            File size:3'611'360 bytes
                                                                                                                            MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high

                                                                                                                            General

                                                                                                                            Target ID:8
                                                                                                                            Start time:06:05:16
                                                                                                                            Start date:07/07/2023
                                                                                                                            Path:C:\Windows\explorer.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                                            Imagebase:0x7ff69fe90000
                                                                                                                            File size:3'933'184 bytes
                                                                                                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high

                                                                                                                            General

                                                                                                                            Target ID:12
                                                                                                                            Start time:06:05:20
                                                                                                                            Start date:07/07/2023
                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 860
                                                                                                                            Imagebase:0x1380000
                                                                                                                            File size:434'592 bytes
                                                                                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high

                                                                                                                            General

                                                                                                                            Target ID:16
                                                                                                                            Start time:06:05:29
                                                                                                                            Start date:07/07/2023
                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 880
                                                                                                                            Imagebase:0x1380000
                                                                                                                            File size:434'592 bytes
                                                                                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                            Disassembly

                                                                                                                            Reset < >

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:19.3%
                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                              Signature Coverage:6.5%
                                                                                                                              Total number of Nodes:1131
                                                                                                                              Total number of Limit Nodes:86
                                                                                                                              execution_graph 2811 f42874 2851 f437a0 2811->2851 2813 f42880 GetStartupInfoW 2814 f42894 HeapSetInformation 2813->2814 2817 f4289f 2813->2817 2814->2817 2816 f428ed 2818 f428f8 2816->2818 2970 f4284b 2816->2970 2852 f43f68 HeapCreate 2817->2852 2853 f432d0 GetModuleHandleW 2818->2853 2821 f428fe 2822 f42909 __RTC_Initialize 2821->2822 2823 f4284b _fast_error_exit 66 API calls 2821->2823 2878 f44547 GetStartupInfoW 2822->2878 2823->2822 2826 f42923 GetCommandLineA 2891 f444b0 GetEnvironmentStringsW 2826->2891 2833 f42948 2915 f4417f 2833->2915 2834 f422fb __amsg_exit 66 API calls 2834->2833 2836 f4294e 2837 f42959 2836->2837 2839 f422fb __amsg_exit 66 API calls 2836->2839 2935 f420da 2837->2935 2839->2837 2840 f42961 2841 f4296c 2840->2841 2842 f422fb __amsg_exit 66 API calls 2840->2842 2941 f44120 2841->2941 2842->2841 2847 f4299c 2985 f422dd 2847->2985 2850 f429a1 __initptd 2851->2813 2852->2816 2854 f432e4 2853->2854 2855 f432ed GetProcAddress GetProcAddress GetProcAddress GetProcAddress 2853->2855 2988 f4301d 2854->2988 2856 f43337 TlsAlloc 2855->2856 2860 f43385 TlsSetValue 2856->2860 2861 f43446 2856->2861 2860->2861 2862 f43396 2860->2862 2861->2821 2993 f42083 2862->2993 2867 f43441 2869 f4301d __mtterm 2 API calls 2867->2869 2868 f433de DecodePointer 2870 f433f3 2868->2870 2869->2861 2870->2867 3002 f4486c 2870->3002 2873 f43411 DecodePointer 2874 f43422 2873->2874 2874->2867 2875 f43426 2874->2875 3008 f4305a 2875->3008 2877 f4342e GetCurrentThreadId 2877->2861 2879 f4486c __calloc_crt 66 API calls 2878->2879 2889 f44565 2879->2889 2880 f44710 GetStdHandle 2886 f446da 2880->2886 2881 f44774 SetHandleCount 2883 f42917 2881->2883 2882 f4486c __calloc_crt 66 API calls 2882->2889 2883->2826 2978 f422fb 2883->2978 2884 f44722 GetFileType 2884->2886 2885 f4465a 2885->2886 2887 f44686 GetFileType 2885->2887 2888 f44691 InitializeCriticalSectionAndSpinCount 2885->2888 2886->2880 2886->2881 2886->2884 2890 f44748 InitializeCriticalSectionAndSpinCount 2886->2890 2887->2885 2887->2888 2888->2883 2888->2885 2889->2882 2889->2883 2889->2885 2889->2886 2889->2889 2890->2883 2890->2886 2892 f444cc WideCharToMultiByte 2891->2892 2893 f42933 2891->2893 2895 f44501 2892->2895 2896 f44539 FreeEnvironmentStringsW 2892->2896 2904 f443f5 2893->2904 2897 f44827 __malloc_crt 66 API calls 2895->2897 2896->2893 2898 f44507 2897->2898 2898->2896 2899 f4450f WideCharToMultiByte 2898->2899 2900 f44521 2899->2900 2901 f4452d FreeEnvironmentStringsW 2899->2901 2902 f42772 _free 66 API calls 2900->2902 2901->2893 2903 f44529 2902->2903 2903->2901 2905 f4440f GetModuleFileNameA 2904->2905 2906 f4440a 2904->2906 2908 f44436 2905->2908 3257 f453e9 2906->3257 3251 f4425b 2908->3251 2910 f4293d 2910->2833 2910->2834 2912 f44827 __malloc_crt 66 API calls 2913 f44478 2912->2913 2913->2910 2914 f4425b _parse_cmdline 76 API calls 2913->2914 2914->2910 2916 f44188 2915->2916 2919 f4418d _strlen 2915->2919 2917 f453e9 ___initmbctable 94 API calls 2916->2917 2917->2919 2918 f4486c __calloc_crt 66 API calls 2925 f441c2 _strlen 2918->2925 2919->2918 2922 f4419b 2919->2922 2920 f44211 2921 f42772 _free 66 API calls 2920->2921 2921->2922 2922->2836 2923 f4486c __calloc_crt 66 API calls 2923->2925 2924 f44237 2926 f42772 _free 66 API calls 2924->2926 2925->2920 2925->2922 2925->2923 2925->2924 2928 f4424e 2925->2928 3698 f459a6 2925->3698 2926->2922 2929 f42f3d __invoke_watson 10 API calls 2928->2929 2931 f4425a 2929->2931 2930 f45a58 _parse_cmdline 76 API calls 2930->2931 2931->2930 2933 f442e7 2931->2933 2932 f443e5 2932->2836 2933->2932 2934 f45a58 76 API calls _parse_cmdline 2933->2934 2934->2933 2936 f420e8 __IsNonwritableInCurrentImage 2935->2936 3707 f43626 2936->3707 2938 f42106 __initterm_e 2940 f42127 __IsNonwritableInCurrentImage 2938->2940 3710 f435c3 2938->3710 2940->2840 2942 f4412e 2941->2942 2944 f44133 2941->2944 2943 f453e9 ___initmbctable 94 API calls 2942->2943 2943->2944 2945 f42972 2944->2945 2946 f45a58 _parse_cmdline 76 API calls 2944->2946 2947 f41000 2945->2947 2946->2944 3775 f423b0 2947->3775 2950 f41043 __setmbcp_nolock 2951 f41056 lstrlenA 2950->2951 2952 f41066 lstrcpyA 2951->2952 2964 f41074 __setmbcp_nolock _memmove 2951->2964 2952->2964 2953 f41151 3777 f41f7a 2953->3777 2954 f410a0 lstrcpyA 2956 f41120 CompareStringA 2954->2956 2954->2964 2956->2964 2958 f410ea lstrlenA 2958->2956 2958->2964 2959 f41185 3794 f41205 2959->3794 2960 f410d4 lstrlenA 2960->2956 2960->2964 2961 f4116f MessageBoxA 2961->2959 2964->2953 2964->2954 2964->2956 2964->2958 2964->2960 2965 f4239a __setmbcp_nolock 5 API calls 2966 f4119f 2965->2966 2966->2847 2967 f422b1 2966->2967 3927 f42171 2967->3927 2969 f422c2 2969->2847 2971 f4285e 2970->2971 2972 f42859 2970->2972 2974 f439b5 __NMSG_WRITE 66 API calls 2971->2974 2973 f43b64 __FF_MSGBANNER 66 API calls 2972->2973 2973->2971 2975 f42866 2974->2975 2976 f42059 __mtinitlocknum 3 API calls 2975->2976 2977 f42870 2976->2977 2977->2818 2979 f43b64 __FF_MSGBANNER 66 API calls 2978->2979 2980 f42305 2979->2980 2981 f439b5 __NMSG_WRITE 66 API calls 2980->2981 2982 f4230d 2981->2982 3957 f422c7 2982->3957 2986 f42171 _doexit 66 API calls 2985->2986 2987 f422e8 2986->2987 2987->2850 2989 f43027 DecodePointer 2988->2989 2990 f43036 2988->2990 2989->2990 2991 f43055 2990->2991 2992 f43047 TlsFree 2990->2992 2991->2991 2992->2991 3021 f42fd6 RtlEncodePointer 2993->3021 2995 f4208b __init_pointers __initp_misc_winsig 3022 f42bd1 EncodePointer 2995->3022 2997 f420b1 EncodePointer EncodePointer EncodePointer EncodePointer 2998 f429eb 2997->2998 2999 f429f6 2998->2999 3000 f42a00 InitializeCriticalSectionAndSpinCount 2999->3000 3001 f42a23 2999->3001 3000->2999 3000->3001 3001->2867 3001->2868 3005 f44875 3002->3005 3004 f43409 3004->2867 3004->2873 3005->3004 3006 f44893 Sleep 3005->3006 3023 f45a70 3005->3023 3007 f448a8 3006->3007 3007->3004 3007->3005 3060 f437a0 3008->3060 3010 f43066 GetModuleHandleW 3061 f42b65 3010->3061 3012 f430a4 InterlockedIncrement 3068 f430fc 3012->3068 3015 f42b65 __lock 64 API calls 3016 f430c5 3015->3016 3071 f449e8 InterlockedIncrement 3016->3071 3018 f430e3 3083 f43105 3018->3083 3020 f430f0 __initptd 3020->2877 3021->2995 3022->2997 3024 f45a7c 3023->3024 3029 f45a97 3023->3029 3025 f45a88 3024->3025 3024->3029 3032 f4348d 3025->3032 3026 f45aaa RtlAllocateHeap 3028 f45ad1 3026->3028 3026->3029 3028->3005 3029->3026 3029->3028 3035 f42fae DecodePointer 3029->3035 3037 f4310e GetLastError 3032->3037 3034 f43492 3034->3005 3036 f42fc3 3035->3036 3036->3029 3051 f42fe9 TlsGetValue 3037->3051 3040 f4317b SetLastError 3040->3034 3041 f4486c __calloc_crt 62 API calls 3042 f43139 3041->3042 3042->3040 3043 f43141 DecodePointer 3042->3043 3044 f43156 3043->3044 3045 f43172 3044->3045 3046 f4315a 3044->3046 3054 f42772 3045->3054 3048 f4305a __initptd 62 API calls 3046->3048 3049 f43162 GetCurrentThreadId 3048->3049 3049->3040 3050 f43178 3050->3040 3052 f42ffe DecodePointer TlsSetValue 3051->3052 3053 f43019 3051->3053 3052->3053 3053->3040 3053->3041 3055 f4277d RtlFreeHeap 3054->3055 3056 f427a6 _free 3054->3056 3055->3056 3057 f42792 3055->3057 3056->3050 3058 f4348d __mtinitlocknum 64 API calls 3057->3058 3059 f42798 GetLastError 3058->3059 3059->3056 3060->3010 3062 f42b8d EnterCriticalSection 3061->3062 3063 f42b7a 3061->3063 3062->3012 3086 f42aa3 3063->3086 3065 f42b80 3065->3062 3066 f422fb __amsg_exit 65 API calls 3065->3066 3067 f42b8c 3066->3067 3067->3062 3249 f42a8c LeaveCriticalSection 3068->3249 3070 f430be 3070->3015 3072 f44a06 InterlockedIncrement 3071->3072 3073 f44a09 3071->3073 3072->3073 3074 f44a16 3073->3074 3075 f44a13 InterlockedIncrement 3073->3075 3076 f44a20 InterlockedIncrement 3074->3076 3077 f44a23 3074->3077 3075->3074 3076->3077 3078 f44a2d InterlockedIncrement 3077->3078 3080 f44a30 3077->3080 3078->3080 3079 f44a49 InterlockedIncrement 3079->3080 3080->3079 3081 f44a59 InterlockedIncrement 3080->3081 3082 f44a64 InterlockedIncrement 3080->3082 3081->3080 3082->3018 3250 f42a8c LeaveCriticalSection 3083->3250 3085 f4310c 3085->3020 3087 f42aaf __initptd 3086->3087 3088 f42ad5 3087->3088 3111 f43b64 3087->3111 3096 f42ae5 __initptd 3088->3096 3147 f44827 3088->3147 3094 f42b06 3099 f42b65 __lock 65 API calls 3094->3099 3095 f42af7 3098 f4348d __mtinitlocknum 65 API calls 3095->3098 3096->3065 3098->3096 3101 f42b0d 3099->3101 3102 f42b15 InitializeCriticalSectionAndSpinCount 3101->3102 3103 f42b40 3101->3103 3105 f42b25 3102->3105 3106 f42b31 3102->3106 3104 f42772 _free 65 API calls 3103->3104 3104->3106 3107 f42772 _free 65 API calls 3105->3107 3153 f42b5c 3106->3153 3109 f42b2b 3107->3109 3110 f4348d __mtinitlocknum 65 API calls 3109->3110 3110->3106 3156 f45967 3111->3156 3113 f43b6b 3114 f43b78 3113->3114 3115 f45967 __NMSG_WRITE 66 API calls 3113->3115 3116 f439b5 __NMSG_WRITE 66 API calls 3114->3116 3118 f42ac4 3114->3118 3115->3114 3117 f43b90 3116->3117 3119 f439b5 __NMSG_WRITE 66 API calls 3117->3119 3120 f439b5 3118->3120 3119->3118 3121 f439d6 __NMSG_WRITE 3120->3121 3123 f45967 __NMSG_WRITE 63 API calls 3121->3123 3143 f43af2 3121->3143 3125 f439f0 3123->3125 3124 f42acb 3144 f42059 3124->3144 3126 f43b01 GetStdHandle 3125->3126 3127 f45967 __NMSG_WRITE 63 API calls 3125->3127 3130 f43b0f _strlen 3126->3130 3126->3143 3128 f43a01 3127->3128 3128->3126 3129 f43a13 3128->3129 3129->3143 3181 f45904 3129->3181 3133 f43b45 WriteFile 3130->3133 3130->3143 3133->3143 3134 f43a3f GetModuleFileNameW 3135 f43a60 3134->3135 3138 f43a6c _wcslen 3134->3138 3136 f45904 __NMSG_WRITE 63 API calls 3135->3136 3136->3138 3137 f42f3d __invoke_watson 10 API calls 3137->3138 3138->3137 3139 f457a7 63 API calls __NMSG_WRITE 3138->3139 3141 f43ae2 3138->3141 3190 f4581c 3138->3190 3139->3138 3199 f4563b 3141->3199 3217 f4239a 3143->3217 3227 f4202e GetModuleHandleW 3144->3227 3150 f44830 3147->3150 3149 f42af0 3149->3094 3149->3095 3150->3149 3151 f44847 Sleep 3150->3151 3231 f427ac 3150->3231 3152 f4485c 3151->3152 3152->3149 3152->3150 3248 f42a8c LeaveCriticalSection 3153->3248 3155 f42b63 3155->3096 3157 f45973 3156->3157 3158 f4597d 3157->3158 3159 f4348d __mtinitlocknum 66 API calls 3157->3159 3158->3113 3160 f45996 3159->3160 3163 f42f8f 3160->3163 3166 f42f62 DecodePointer 3163->3166 3167 f42f77 3166->3167 3172 f42f3d 3167->3172 3169 f42f8e 3170 f42f62 _strcpy_s 10 API calls 3169->3170 3171 f42f9b 3170->3171 3171->3113 3175 f42e14 3172->3175 3176 f42e33 __setmbcp_nolock __call_reportfault 3175->3176 3177 f42e51 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 3176->3177 3178 f42f1f __call_reportfault 3177->3178 3179 f4239a __setmbcp_nolock 5 API calls 3178->3179 3180 f42f3b GetCurrentProcess TerminateProcess 3179->3180 3180->3169 3182 f45919 3181->3182 3183 f45912 3181->3183 3184 f4348d __mtinitlocknum 66 API calls 3182->3184 3183->3182 3187 f4593a 3183->3187 3185 f4591e 3184->3185 3186 f42f8f _strcpy_s 11 API calls 3185->3186 3188 f43a34 3186->3188 3187->3188 3189 f4348d __mtinitlocknum 66 API calls 3187->3189 3188->3134 3188->3138 3189->3185 3195 f4582e 3190->3195 3191 f45832 3192 f4348d __mtinitlocknum 66 API calls 3191->3192 3193 f45837 3191->3193 3194 f4584e 3192->3194 3193->3138 3196 f42f8f _strcpy_s 11 API calls 3194->3196 3195->3191 3195->3193 3197 f45875 3195->3197 3196->3193 3197->3193 3198 f4348d __mtinitlocknum 66 API calls 3197->3198 3198->3194 3225 f42fd6 RtlEncodePointer 3199->3225 3201 f45661 3202 f45671 LoadLibraryW 3201->3202 3203 f456ee 3201->3203 3204 f45686 GetProcAddress 3202->3204 3210 f45786 3202->3210 3206 f45708 DecodePointer DecodePointer 3203->3206 3215 f4571b 3203->3215 3205 f4569c 7 API calls 3204->3205 3204->3210 3205->3203 3209 f456de GetProcAddress EncodePointer 3205->3209 3206->3215 3207 f45751 DecodePointer 3208 f4577a DecodePointer 3207->3208 3213 f45758 3207->3213 3208->3210 3209->3203 3211 f4239a __setmbcp_nolock 5 API calls 3210->3211 3212 f457a5 3211->3212 3212->3143 3213->3208 3214 f4576b DecodePointer 3213->3214 3214->3208 3216 f4573e 3214->3216 3215->3207 3215->3208 3215->3216 3216->3208 3218 f423a4 IsDebuggerPresent 3217->3218 3219 f423a2 3217->3219 3226 f449e0 3218->3226 3219->3124 3222 f43d34 SetUnhandledExceptionFilter UnhandledExceptionFilter 3223 f43d51 __call_reportfault 3222->3223 3224 f43d59 GetCurrentProcess TerminateProcess 3222->3224 3223->3224 3224->3124 3225->3201 3226->3222 3228 f42057 ExitProcess 3227->3228 3229 f42042 GetProcAddress 3227->3229 3229->3228 3230 f42052 3229->3230 3230->3228 3232 f42829 3231->3232 3240 f427ba 3231->3240 3233 f42fae _malloc DecodePointer 3232->3233 3234 f4282f 3233->3234 3236 f4348d __mtinitlocknum 65 API calls 3234->3236 3235 f43b64 __FF_MSGBANNER 65 API calls 3245 f427c5 3235->3245 3247 f42821 3236->3247 3237 f427e8 RtlAllocateHeap 3237->3240 3237->3247 3238 f439b5 __NMSG_WRITE 65 API calls 3238->3245 3239 f42815 3242 f4348d __mtinitlocknum 65 API calls 3239->3242 3240->3237 3240->3239 3241 f42fae _malloc DecodePointer 3240->3241 3244 f42813 3240->3244 3240->3245 3241->3240 3242->3244 3243 f42059 __mtinitlocknum 3 API calls 3243->3245 3246 f4348d __mtinitlocknum 65 API calls 3244->3246 3245->3235 3245->3238 3245->3240 3245->3243 3246->3247 3247->3150 3248->3155 3249->3070 3250->3085 3252 f4427a 3251->3252 3255 f442e7 3252->3255 3261 f45a58 3252->3261 3254 f443e5 3254->2910 3254->2912 3255->3254 3256 f45a58 76 API calls _parse_cmdline 3255->3256 3256->3255 3258 f453f9 3257->3258 3259 f453f2 3257->3259 3258->2905 3585 f4524f 3259->3585 3264 f45a05 3261->3264 3267 f44959 3264->3267 3268 f4496c 3267->3268 3272 f449b9 3267->3272 3275 f43187 3268->3275 3272->3252 3273 f44999 3273->3272 3295 f44f44 3273->3295 3276 f4310e __getptd_noexit 66 API calls 3275->3276 3277 f4318f 3276->3277 3278 f4319c 3277->3278 3279 f422fb __amsg_exit 66 API calls 3277->3279 3278->3273 3280 f44ca8 3278->3280 3279->3278 3281 f44cb4 __initptd 3280->3281 3282 f43187 __getptd 66 API calls 3281->3282 3283 f44cb9 3282->3283 3284 f44ce7 3283->3284 3285 f44ccb 3283->3285 3286 f42b65 __lock 66 API calls 3284->3286 3287 f43187 __getptd 66 API calls 3285->3287 3288 f44cee 3286->3288 3292 f44cd0 3287->3292 3311 f44c5b 3288->3311 3293 f44cde __initptd 3292->3293 3294 f422fb __amsg_exit 66 API calls 3292->3294 3293->3273 3294->3293 3296 f44f50 __initptd 3295->3296 3297 f43187 __getptd 66 API calls 3296->3297 3298 f44f55 3297->3298 3299 f42b65 __lock 66 API calls 3298->3299 3300 f44f67 3298->3300 3301 f44f85 3299->3301 3306 f422fb __amsg_exit 66 API calls 3300->3306 3307 f44f75 __initptd 3300->3307 3302 f44fce 3301->3302 3303 f44fb6 InterlockedIncrement 3301->3303 3304 f44f9c InterlockedDecrement 3301->3304 3581 f44fdf 3302->3581 3303->3302 3304->3303 3308 f44fa7 3304->3308 3306->3307 3307->3272 3308->3303 3309 f42772 _free 66 API calls 3308->3309 3310 f44fb5 3309->3310 3310->3303 3312 f44c68 3311->3312 3313 f44c9d 3311->3313 3312->3313 3314 f449e8 ___addlocaleref 8 API calls 3312->3314 3319 f44d15 3313->3319 3315 f44c7e 3314->3315 3315->3313 3322 f44a77 3315->3322 3580 f42a8c LeaveCriticalSection 3319->3580 3321 f44d1c 3321->3292 3323 f44a88 InterlockedDecrement 3322->3323 3324 f44b0b 3322->3324 3325 f44aa0 3323->3325 3326 f44a9d InterlockedDecrement 3323->3326 3324->3313 3336 f44b10 3324->3336 3327 f44aad 3325->3327 3328 f44aaa InterlockedDecrement 3325->3328 3326->3325 3329 f44ab7 InterlockedDecrement 3327->3329 3330 f44aba 3327->3330 3328->3327 3329->3330 3331 f44ac4 InterlockedDecrement 3330->3331 3333 f44ac7 3330->3333 3331->3333 3332 f44ae0 InterlockedDecrement 3332->3333 3333->3332 3334 f44af0 InterlockedDecrement 3333->3334 3335 f44afb InterlockedDecrement 3333->3335 3334->3333 3335->3324 3337 f44b94 3336->3337 3338 f44b27 3336->3338 3339 f44be1 3337->3339 3340 f42772 _free 66 API calls 3337->3340 3338->3337 3346 f42772 _free 66 API calls 3338->3346 3349 f44b5b 3338->3349 3362 f44c0a 3339->3362 3406 f45bcc 3339->3406 3342 f44bb5 3340->3342 3344 f42772 _free 66 API calls 3342->3344 3350 f44bc8 3344->3350 3345 f42772 _free 66 API calls 3351 f44b89 3345->3351 3352 f44b50 3346->3352 3347 f42772 _free 66 API calls 3347->3362 3348 f44c4f 3353 f42772 _free 66 API calls 3348->3353 3354 f42772 _free 66 API calls 3349->3354 3365 f44b7c 3349->3365 3356 f42772 _free 66 API calls 3350->3356 3357 f42772 _free 66 API calls 3351->3357 3366 f45fac 3352->3366 3359 f44c55 3353->3359 3360 f44b71 3354->3360 3355 f42772 66 API calls _free 3355->3362 3361 f44bd6 3356->3361 3357->3337 3359->3313 3394 f45f43 3360->3394 3364 f42772 _free 66 API calls 3361->3364 3362->3348 3362->3355 3364->3339 3365->3345 3367 f45fbd 3366->3367 3393 f460a6 3366->3393 3368 f45fce 3367->3368 3369 f42772 _free 66 API calls 3367->3369 3370 f45fe0 3368->3370 3371 f42772 _free 66 API calls 3368->3371 3369->3368 3372 f45ff2 3370->3372 3373 f42772 _free 66 API calls 3370->3373 3371->3370 3374 f46004 3372->3374 3375 f42772 _free 66 API calls 3372->3375 3373->3372 3376 f46016 3374->3376 3377 f42772 _free 66 API calls 3374->3377 3375->3374 3378 f46028 3376->3378 3379 f42772 _free 66 API calls 3376->3379 3377->3376 3380 f4603a 3378->3380 3381 f42772 _free 66 API calls 3378->3381 3379->3378 3382 f4604c 3380->3382 3383 f42772 _free 66 API calls 3380->3383 3381->3380 3384 f4605e 3382->3384 3385 f42772 _free 66 API calls 3382->3385 3383->3382 3386 f42772 _free 66 API calls 3384->3386 3388 f46070 3384->3388 3385->3384 3386->3388 3387 f46082 3390 f46094 3387->3390 3391 f42772 _free 66 API calls 3387->3391 3388->3387 3389 f42772 _free 66 API calls 3388->3389 3389->3387 3392 f42772 _free 66 API calls 3390->3392 3390->3393 3391->3390 3392->3393 3393->3349 3396 f45f50 3394->3396 3405 f45fa8 3394->3405 3395 f45f60 3398 f45f72 3395->3398 3400 f42772 _free 66 API calls 3395->3400 3396->3395 3397 f42772 _free 66 API calls 3396->3397 3397->3395 3399 f45f84 3398->3399 3401 f42772 _free 66 API calls 3398->3401 3402 f45f96 3399->3402 3403 f42772 _free 66 API calls 3399->3403 3400->3398 3401->3399 3404 f42772 _free 66 API calls 3402->3404 3402->3405 3403->3402 3404->3405 3405->3365 3407 f44bff 3406->3407 3408 f45bdd 3406->3408 3407->3347 3409 f42772 _free 66 API calls 3408->3409 3410 f45be5 3409->3410 3411 f42772 _free 66 API calls 3410->3411 3412 f45bed 3411->3412 3413 f42772 _free 66 API calls 3412->3413 3414 f45bf5 3413->3414 3415 f42772 _free 66 API calls 3414->3415 3416 f45bfd 3415->3416 3417 f42772 _free 66 API calls 3416->3417 3418 f45c05 3417->3418 3419 f42772 _free 66 API calls 3418->3419 3420 f45c0d 3419->3420 3421 f42772 _free 66 API calls 3420->3421 3422 f45c14 3421->3422 3423 f42772 _free 66 API calls 3422->3423 3424 f45c1c 3423->3424 3425 f42772 _free 66 API calls 3424->3425 3426 f45c24 3425->3426 3427 f42772 _free 66 API calls 3426->3427 3428 f45c2c 3427->3428 3429 f42772 _free 66 API calls 3428->3429 3430 f45c34 3429->3430 3431 f42772 _free 66 API calls 3430->3431 3432 f45c3c 3431->3432 3433 f42772 _free 66 API calls 3432->3433 3434 f45c44 3433->3434 3435 f42772 _free 66 API calls 3434->3435 3436 f45c4c 3435->3436 3437 f42772 _free 66 API calls 3436->3437 3438 f45c54 3437->3438 3439 f42772 _free 66 API calls 3438->3439 3440 f45c5c 3439->3440 3441 f42772 _free 66 API calls 3440->3441 3442 f45c67 3441->3442 3443 f42772 _free 66 API calls 3442->3443 3444 f45c6f 3443->3444 3445 f42772 _free 66 API calls 3444->3445 3446 f45c77 3445->3446 3447 f42772 _free 66 API calls 3446->3447 3448 f45c7f 3447->3448 3449 f42772 _free 66 API calls 3448->3449 3450 f45c87 3449->3450 3451 f42772 _free 66 API calls 3450->3451 3452 f45c8f 3451->3452 3453 f42772 _free 66 API calls 3452->3453 3454 f45c97 3453->3454 3455 f42772 _free 66 API calls 3454->3455 3456 f45c9f 3455->3456 3457 f42772 _free 66 API calls 3456->3457 3458 f45ca7 3457->3458 3459 f42772 _free 66 API calls 3458->3459 3460 f45caf 3459->3460 3461 f42772 _free 66 API calls 3460->3461 3462 f45cb7 3461->3462 3463 f42772 _free 66 API calls 3462->3463 3464 f45cbf 3463->3464 3465 f42772 _free 66 API calls 3464->3465 3466 f45cc7 3465->3466 3467 f42772 _free 66 API calls 3466->3467 3468 f45ccf 3467->3468 3469 f42772 _free 66 API calls 3468->3469 3470 f45cd7 3469->3470 3471 f42772 _free 66 API calls 3470->3471 3472 f45cdf 3471->3472 3473 f42772 _free 66 API calls 3472->3473 3474 f45ced 3473->3474 3475 f42772 _free 66 API calls 3474->3475 3476 f45cf8 3475->3476 3477 f42772 _free 66 API calls 3476->3477 3478 f45d03 3477->3478 3479 f42772 _free 66 API calls 3478->3479 3480 f45d0e 3479->3480 3481 f42772 _free 66 API calls 3480->3481 3482 f45d19 3481->3482 3483 f42772 _free 66 API calls 3482->3483 3484 f45d24 3483->3484 3485 f42772 _free 66 API calls 3484->3485 3486 f45d2f 3485->3486 3487 f42772 _free 66 API calls 3486->3487 3488 f45d3a 3487->3488 3489 f42772 _free 66 API calls 3488->3489 3490 f45d45 3489->3490 3491 f42772 _free 66 API calls 3490->3491 3492 f45d50 3491->3492 3493 f42772 _free 66 API calls 3492->3493 3494 f45d5b 3493->3494 3495 f42772 _free 66 API calls 3494->3495 3496 f45d66 3495->3496 3497 f42772 _free 66 API calls 3496->3497 3498 f45d71 3497->3498 3499 f42772 _free 66 API calls 3498->3499 3500 f45d7c 3499->3500 3501 f42772 _free 66 API calls 3500->3501 3502 f45d87 3501->3502 3503 f42772 _free 66 API calls 3502->3503 3504 f45d92 3503->3504 3505 f42772 _free 66 API calls 3504->3505 3506 f45da0 3505->3506 3507 f42772 _free 66 API calls 3506->3507 3508 f45dab 3507->3508 3509 f42772 _free 66 API calls 3508->3509 3510 f45db6 3509->3510 3511 f42772 _free 66 API calls 3510->3511 3512 f45dc1 3511->3512 3513 f42772 _free 66 API calls 3512->3513 3514 f45dcc 3513->3514 3515 f42772 _free 66 API calls 3514->3515 3516 f45dd7 3515->3516 3517 f42772 _free 66 API calls 3516->3517 3518 f45de2 3517->3518 3519 f42772 _free 66 API calls 3518->3519 3520 f45ded 3519->3520 3521 f42772 _free 66 API calls 3520->3521 3522 f45df8 3521->3522 3523 f42772 _free 66 API calls 3522->3523 3524 f45e03 3523->3524 3525 f42772 _free 66 API calls 3524->3525 3526 f45e0e 3525->3526 3527 f42772 _free 66 API calls 3526->3527 3528 f45e19 3527->3528 3529 f42772 _free 66 API calls 3528->3529 3530 f45e24 3529->3530 3531 f42772 _free 66 API calls 3530->3531 3532 f45e2f 3531->3532 3533 f42772 _free 66 API calls 3532->3533 3534 f45e3a 3533->3534 3535 f42772 _free 66 API calls 3534->3535 3536 f45e45 3535->3536 3537 f42772 _free 66 API calls 3536->3537 3538 f45e53 3537->3538 3539 f42772 _free 66 API calls 3538->3539 3540 f45e5e 3539->3540 3541 f42772 _free 66 API calls 3540->3541 3542 f45e69 3541->3542 3543 f42772 _free 66 API calls 3542->3543 3544 f45e74 3543->3544 3545 f42772 _free 66 API calls 3544->3545 3546 f45e7f 3545->3546 3547 f42772 _free 66 API calls 3546->3547 3548 f45e8a 3547->3548 3549 f42772 _free 66 API calls 3548->3549 3550 f45e95 3549->3550 3551 f42772 _free 66 API calls 3550->3551 3552 f45ea0 3551->3552 3553 f42772 _free 66 API calls 3552->3553 3554 f45eab 3553->3554 3555 f42772 _free 66 API calls 3554->3555 3556 f45eb6 3555->3556 3557 f42772 _free 66 API calls 3556->3557 3558 f45ec1 3557->3558 3559 f42772 _free 66 API calls 3558->3559 3560 f45ecc 3559->3560 3561 f42772 _free 66 API calls 3560->3561 3562 f45ed7 3561->3562 3563 f42772 _free 66 API calls 3562->3563 3564 f45ee2 3563->3564 3565 f42772 _free 66 API calls 3564->3565 3566 f45eed 3565->3566 3567 f42772 _free 66 API calls 3566->3567 3568 f45ef8 3567->3568 3569 f42772 _free 66 API calls 3568->3569 3570 f45f06 3569->3570 3571 f42772 _free 66 API calls 3570->3571 3572 f45f11 3571->3572 3573 f42772 _free 66 API calls 3572->3573 3574 f45f1c 3573->3574 3575 f42772 _free 66 API calls 3574->3575 3576 f45f27 3575->3576 3577 f42772 _free 66 API calls 3576->3577 3578 f45f32 3577->3578 3579 f42772 _free 66 API calls 3578->3579 3579->3407 3580->3321 3584 f42a8c LeaveCriticalSection 3581->3584 3583 f44fe6 3583->3300 3584->3583 3586 f4525b __initptd 3585->3586 3587 f43187 __getptd 66 API calls 3586->3587 3588 f45264 3587->3588 3589 f44f44 __setmbcp 68 API calls 3588->3589 3590 f4526e 3589->3590 3616 f44fea 3590->3616 3593 f44827 __malloc_crt 66 API calls 3594 f4528f 3593->3594 3595 f453ae __initptd 3594->3595 3623 f45066 3594->3623 3595->3258 3598 f452bf InterlockedDecrement 3600 f452e0 InterlockedIncrement 3598->3600 3601 f452cf 3598->3601 3599 f453bb 3599->3595 3604 f42772 _free 66 API calls 3599->3604 3608 f453ce 3599->3608 3600->3595 3603 f452f6 3600->3603 3601->3600 3602 f42772 _free 66 API calls 3601->3602 3606 f452df 3602->3606 3603->3595 3607 f42b65 __lock 66 API calls 3603->3607 3604->3608 3605 f4348d __mtinitlocknum 66 API calls 3605->3595 3606->3600 3610 f4530a InterlockedDecrement 3607->3610 3608->3605 3611 f45386 3610->3611 3612 f45399 InterlockedIncrement 3610->3612 3611->3612 3614 f42772 _free 66 API calls 3611->3614 3633 f453b0 3612->3633 3615 f45398 3614->3615 3615->3612 3617 f44959 _LocaleUpdate::_LocaleUpdate 76 API calls 3616->3617 3618 f44ffe 3617->3618 3619 f45027 3618->3619 3620 f45009 GetOEMCP 3618->3620 3621 f4502c GetACP 3619->3621 3622 f45019 3619->3622 3620->3622 3621->3622 3622->3593 3622->3595 3624 f44fea getSystemCP 78 API calls 3623->3624 3625 f45086 3624->3625 3626 f45091 setSBCS 3625->3626 3629 f450d5 IsValidCodePage 3625->3629 3631 f450fa __setmbcp_nolock 3625->3631 3627 f4239a __setmbcp_nolock 5 API calls 3626->3627 3628 f4524d 3627->3628 3628->3598 3628->3599 3629->3626 3630 f450e7 GetCPInfo 3629->3630 3630->3626 3630->3631 3636 f44db4 GetCPInfo 3631->3636 3697 f42a8c LeaveCriticalSection 3633->3697 3635 f453b7 3635->3595 3637 f44e9c 3636->3637 3639 f44de8 __setmbcp_nolock 3636->3639 3641 f4239a __setmbcp_nolock 5 API calls 3637->3641 3646 f463be 3639->3646 3643 f44f42 3641->3643 3643->3631 3645 f46291 ___crtLCMapStringA 82 API calls 3645->3637 3647 f44959 _LocaleUpdate::_LocaleUpdate 76 API calls 3646->3647 3648 f463d1 3647->3648 3656 f462d7 3648->3656 3651 f46291 3652 f44959 _LocaleUpdate::_LocaleUpdate 76 API calls 3651->3652 3653 f462a4 3652->3653 3673 f460aa 3653->3673 3657 f462f5 3656->3657 3658 f46300 MultiByteToWideChar 3656->3658 3657->3658 3661 f4632d 3658->3661 3668 f46329 3658->3668 3659 f46342 __setmbcp_nolock __crtGetStringTypeA_stat 3663 f4637b MultiByteToWideChar 3659->3663 3659->3668 3660 f4239a __setmbcp_nolock 5 API calls 3662 f44e57 3660->3662 3661->3659 3664 f427ac _malloc 66 API calls 3661->3664 3662->3651 3665 f46391 GetStringTypeW 3663->3665 3666 f463a2 3663->3666 3664->3659 3665->3666 3669 f44939 3666->3669 3668->3660 3670 f44945 3669->3670 3671 f44956 3669->3671 3670->3671 3672 f42772 _free 66 API calls 3670->3672 3671->3668 3672->3671 3674 f460c8 MultiByteToWideChar 3673->3674 3679 f4612d 3674->3679 3686 f46126 3674->3686 3676 f46146 __crtGetStringTypeA_stat 3680 f4617a MultiByteToWideChar 3676->3680 3676->3686 3677 f4239a __setmbcp_nolock 5 API calls 3678 f44e77 3677->3678 3678->3645 3679->3676 3682 f427ac _malloc 66 API calls 3679->3682 3681 f46193 LCMapStringW 3680->3681 3696 f46272 3680->3696 3683 f461b2 3681->3683 3681->3696 3682->3676 3685 f461bc 3683->3685 3689 f461e5 3683->3689 3684 f44939 __crtGetStringTypeA_stat 66 API calls 3684->3686 3687 f461d0 LCMapStringW 3685->3687 3685->3696 3686->3677 3687->3696 3688 f46234 LCMapStringW 3690 f4626c 3688->3690 3691 f4624a WideCharToMultiByte 3688->3691 3692 f46200 __crtGetStringTypeA_stat 3689->3692 3693 f427ac _malloc 66 API calls 3689->3693 3694 f44939 __crtGetStringTypeA_stat 66 API calls 3690->3694 3691->3690 3692->3688 3692->3696 3693->3692 3694->3696 3696->3684 3697->3635 3699 f459bb 3698->3699 3700 f459b4 3698->3700 3701 f4348d __mtinitlocknum 66 API calls 3699->3701 3700->3699 3704 f459d9 3700->3704 3702 f459c0 3701->3702 3703 f42f8f _strcpy_s 11 API calls 3702->3703 3705 f459ca 3703->3705 3704->3705 3706 f4348d __mtinitlocknum 66 API calls 3704->3706 3705->2925 3706->3702 3708 f4362c EncodePointer 3707->3708 3708->3708 3709 f43646 3708->3709 3709->2938 3713 f43587 3710->3713 3712 f435d0 3712->2940 3714 f43593 __initptd 3713->3714 3721 f42071 3714->3721 3720 f435b4 __initptd 3720->3712 3722 f42b65 __lock 66 API calls 3721->3722 3723 f42078 3722->3723 3724 f434a0 DecodePointer DecodePointer 3723->3724 3725 f434ce 3724->3725 3726 f4354f 3724->3726 3725->3726 3738 f45407 3725->3738 3735 f435bd 3726->3735 3728 f43532 EncodePointer EncodePointer 3728->3726 3729 f43504 3729->3726 3732 f448b8 __realloc_crt 70 API calls 3729->3732 3733 f43520 EncodePointer 3729->3733 3730 f434e0 3730->3728 3730->3729 3745 f448b8 3730->3745 3734 f4351a 3732->3734 3733->3728 3734->3726 3734->3733 3771 f4207a 3735->3771 3739 f45427 HeapSize 3738->3739 3740 f45412 3738->3740 3739->3730 3741 f4348d __mtinitlocknum 66 API calls 3740->3741 3742 f45417 3741->3742 3743 f42f8f _strcpy_s 11 API calls 3742->3743 3744 f45422 3743->3744 3744->3730 3746 f448c1 3745->3746 3748 f44900 3746->3748 3749 f448e1 Sleep 3746->3749 3750 f45af2 3746->3750 3748->3729 3749->3746 3751 f45afd 3750->3751 3752 f45b08 3750->3752 3753 f427ac _malloc 66 API calls 3751->3753 3754 f45b10 3752->3754 3762 f45b1d 3752->3762 3755 f45b05 3753->3755 3756 f42772 _free 66 API calls 3754->3756 3755->3746 3770 f45b18 _free 3756->3770 3757 f45b55 3758 f42fae _malloc DecodePointer 3757->3758 3760 f45b5b 3758->3760 3759 f45b25 HeapReAlloc 3759->3762 3759->3770 3763 f4348d __mtinitlocknum 66 API calls 3760->3763 3761 f45b85 3765 f4348d __mtinitlocknum 66 API calls 3761->3765 3762->3757 3762->3759 3762->3761 3764 f42fae _malloc DecodePointer 3762->3764 3767 f45b6d 3762->3767 3763->3770 3764->3762 3766 f45b8a GetLastError 3765->3766 3766->3770 3768 f4348d __mtinitlocknum 66 API calls 3767->3768 3769 f45b72 GetLastError 3768->3769 3769->3770 3770->3746 3774 f42a8c LeaveCriticalSection 3771->3774 3773 f42081 3773->3720 3774->3773 3776 f4100d LoadCursorA SetCursor 3775->3776 3776->2950 3797 f4121e GetModuleFileNameA 3777->3797 3779 f41f84 3798 f41233 _lopen 3779->3798 3782 f41fc1 3783 f4115c 3782->3783 3784 f41fcb Sleep 3782->3784 3783->2959 3783->2961 3786 f41fe1 DeleteFileA DeleteFileA RemoveDirectoryA 3784->3786 3787 f42002 MoveFileExA MoveFileExA MoveFileExA 3784->3787 3786->3783 3787->3783 3795 f41216 _lclose 3794->3795 3796 f41190 3794->3796 3795->3796 3796->2965 3797->3779 3799 f41265 lstrcpyA 3798->3799 3800 f41280 3798->3800 3816 f414b1 3799->3816 3801 f427ac _malloc 66 API calls 3800->3801 3802 f4128a 3801->3802 3804 f41291 lstrcpyA 3802->3804 3805 f412ac _llseek 3802->3805 3803 f42772 _free 66 API calls 3806 f414c5 3803->3806 3804->3816 3810 f412bc 3805->3810 3806->3782 3818 f4188b GetCurrentDirectoryA 3806->3818 3807 f413a0 lstrcpyA 3807->3816 3808 f412c9 _lread 3808->3810 3810->3807 3810->3808 3811 f41365 _llseek _lread 3810->3811 3811->3807 3812 f413c2 _llseek _lread 3811->3812 3812->3807 3814 f41413 _llseek _lread 3812->3814 3814->3807 3815 f41461 _llseek _lread 3814->3815 3815->3816 3817 f41499 lstrcpyA 3815->3817 3816->3803 3817->3816 3910 f42320 3818->3910 3820 f418d2 GetTempPathA lstrlenA 3821 f41917 lstrlenA 3820->3821 3822 f418fd 3820->3822 3823 f41945 wsprintfA wsprintfA 3821->3823 3824 f41933 lstrcatA 3821->3824 3912 f41747 lstrlenA 3822->3912 3826 f419c6 DeleteFileA RemoveDirectoryA GetFileAttributesA 3823->3826 3824->3823 3828 f419f1 CreateDirectoryA lstrcpyA SetCurrentDirectoryA 3826->3828 3829 f4198b wsprintfA wsprintfA 3826->3829 3831 f41a25 lstrcpyA CreateDirectoryA 3828->3831 3832 f41a3e SetCurrentDirectoryA 3828->3832 3829->3826 3830 f4190d lstrcpyA 3830->3821 3831->3832 3833 f41a66 lstrlenA 3832->3833 3834 f41a51 lstrcpyA 3832->3834 3835 f41a91 6 API calls 3833->3835 3836 f41a7f lstrcatA 3833->3836 3834->3833 3837 f41b55 lstrcpyA 3835->3837 3838 f41b35 3835->3838 3836->3835 3839 f41b6a SetCurrentDirectoryA 3837->3839 3838->3837 3838->3839 3840 f4239a __setmbcp_nolock 5 API calls 3839->3840 3841 f41b8a 3840->3841 3841->3782 3842 f414ce 3841->3842 3843 f427ac _malloc 66 API calls 3842->3843 3844 f414e6 3843->3844 3845 f414f5 _llseek _lread 3844->3845 3856 f415d8 3844->3856 3846 f415ac lstrcpyA 3845->3846 3847 f4152b 3845->3847 3851 f41592 3846->3851 3847->3846 3848 f41533 _lcreat 3847->3848 3850 f41548 lstrcpyA 3848->3850 3852 f41560 _lwrite 3848->3852 3849 f42772 _free 66 API calls 3853 f415cb 3849->3853 3850->3851 3851->3849 3852->3851 3855 f415d1 _lclose 3853->3855 3853->3856 3855->3856 3856->3782 3857 f415e0 _llseek _lread 3856->3857 3858 f41624 lstrcpyA 3857->3858 3859 f4163c 3857->3859 3858->3859 3860 f427ac _malloc 66 API calls 3859->3860 3861 f41652 3860->3861 3862 f4165e _llseek _lread 3861->3862 3863 f41729 lstrcpyA 3861->3863 3864 f41687 3862->3864 3865 f41708 lstrcpyA 3862->3865 3866 f41726 3863->3866 3864->3865 3867 f4168c 3864->3867 3868 f416f4 3865->3868 3866->3782 3876 f41b8c 3866->3876 3867->3868 3869 f41691 _lcreat 3867->3869 3870 f42772 _free 66 API calls 3868->3870 3871 f416a6 lstrcpyA 3869->3871 3872 f416be _lwrite 3869->3872 3870->3866 3871->3868 3873 f416d7 lstrcpyA 3872->3873 3874 f416d2 3872->3874 3875 f416ed _lclose 3873->3875 3874->3873 3874->3875 3875->3868 3877 f41bbb __setmbcp_nolock 3876->3877 3878 f41bec wsprintfA lstrlenA 3877->3878 3879 f41c4d lstrcatA 3878->3879 3880 f41c5b 12 API calls 3878->3880 3879->3880 3881 f41de8 3880->3881 3882 f41d38 3880->3882 3884 f41df2 MessageBoxA 3881->3884 3885 f41e08 __setmbcp_nolock 3881->3885 3883 f427ac _malloc 66 API calls 3882->3883 3886 f41d49 3883->3886 3884->3885 3887 f41e1a ShellExecuteExA 3885->3887 3886->3881 3888 f41d58 GetTokenInformation 3886->3888 3889 f41eb7 3887->3889 3890 f41e7d GetLastError 3887->3890 3888->3881 3891 f41d77 3888->3891 3894 f41f1f GetExitCodeProcess 3889->3894 3896 f41f05 MsgWaitForMultipleObjects 3889->3896 3892 f41ea8 3890->3892 3893 f41e8a lstrcpyA 3890->3893 3921 f41821 LoadLibraryA 3891->3921 3899 f4239a __setmbcp_nolock 5 API calls 3892->3899 3893->3892 3897 f41f59 CloseHandle 3894->3897 3898 f41f4b 3894->3898 3896->3894 3902 f41ef0 PeekMessageA 3896->3902 3897->3892 3898->3897 3903 f41f53 3898->3903 3904 f41f78 3899->3904 3900 f41ddc 3906 f42772 _free 66 API calls 3900->3906 3902->3896 3907 f41ec1 3902->3907 3903->3897 3904->3782 3905 f41da1 wsprintfA lstrcatA lstrcatA LocalFree 3905->3900 3909 f41de7 3906->3909 3907->3902 3908 f41ed6 TranslateMessage DispatchMessageA 3907->3908 3908->3902 3909->3881 3911 f4232c 3910->3911 3911->3820 3911->3911 3913 f41786 lstrlenA 3912->3913 3914 f4177a lstrcatA 3912->3914 3918 f4179f __setmbcp_nolock 3913->3918 3914->3913 3915 f41802 3916 f4239a __setmbcp_nolock 5 API calls 3915->3916 3917 f4181d 3916->3917 3917->3821 3917->3830 3918->3915 3919 f417d8 SetCurrentDirectoryA 3918->3919 3919->3918 3920 f417e9 CreateDirectoryA 3919->3920 3920->3918 3922 f41864 3921->3922 3923 f41839 3921->3923 3922->3900 3922->3905 3923->3922 3924 f41843 GetProcAddress 3923->3924 3925 f41853 3924->3925 3926 f4185d FreeLibrary 3924->3926 3925->3926 3926->3922 3928 f4217d __initptd 3927->3928 3929 f42b65 __lock 61 API calls 3928->3929 3930 f42184 3929->3930 3931 f421af RtlDecodePointer 3930->3931 3934 f4222e 3930->3934 3933 f421c6 DecodePointer 3931->3933 3931->3934 3946 f421d9 3933->3946 3948 f4229c 3934->3948 3936 f422ab __initptd 3936->2969 3938 f42293 3940 f4229c 3938->3940 3941 f42059 __mtinitlocknum 3 API calls 3938->3941 3942 f422a9 3940->3942 3955 f42a8c LeaveCriticalSection 3940->3955 3941->3940 3942->2969 3944 f421f0 DecodePointer 3954 f42fd6 RtlEncodePointer 3944->3954 3946->3934 3946->3944 3947 f421ff DecodePointer DecodePointer 3946->3947 3953 f42fd6 RtlEncodePointer 3946->3953 3947->3946 3949 f422a2 3948->3949 3950 f4227c 3948->3950 3956 f42a8c LeaveCriticalSection 3949->3956 3950->3936 3952 f42a8c LeaveCriticalSection 3950->3952 3952->3938 3953->3946 3954->3946 3955->3942 3956->3950 3958 f42171 _doexit 66 API calls 3957->3958 3959 f422d8 3958->3959 3960 f42a35 3964 f42a45 3960->3964 3961 f42a51 DeleteCriticalSection 3962 f42772 _free 66 API calls 3961->3962 3962->3964 3963 f42a69 3965 f42a89 3963->3965 3966 f42a7b DeleteCriticalSection 3963->3966 3964->3961 3964->3963 3966->3963 4088 f43556 4089 f4486c __calloc_crt 66 API calls 4088->4089 4090 f43562 EncodePointer 4089->4090 4091 f4357b 4090->4091 3967 f429b7 3968 f429c6 3967->3968 3969 f429cc 3967->3969 3970 f422c7 __amsg_exit 66 API calls 3968->3970 3973 f422ec 3969->3973 3970->3969 3972 f429d1 __initptd 3974 f42171 _doexit 66 API calls 3973->3974 3975 f422f7 3974->3975 3975->3972 4092 f43c57 IsProcessorFeaturePresent 4093 f42751 4096 f42741 4093->4096 4095 f4275e ctype 4099 f43e70 4096->4099 4098 f4274f 4098->4095 4100 f43e7c __initptd 4099->4100 4101 f42b65 __lock 66 API calls 4100->4101 4102 f43e83 4101->4102 4106 f42772 _free 66 API calls 4102->4106 4107 f43ebc 4102->4107 4108 f43eb3 4102->4108 4104 f43ecd __initptd 4104->4098 4105 f42772 _free 66 API calls 4105->4107 4106->4108 4109 f43ed7 4107->4109 4108->4105 4112 f42a8c LeaveCriticalSection 4109->4112 4111 f43ede 4111->4104 4112->4111 3976 f42bbc 3977 f42bbf 3976->3977 3980 f44906 3977->3980 3989 f42c37 DecodePointer 3980->3989 3982 f4490b 3983 f44916 3982->3983 3990 f42c44 3982->3990 3985 f4492e 3983->3985 3987 f42e14 __call_reportfault 8 API calls 3983->3987 3986 f422c7 __amsg_exit 66 API calls 3985->3986 3988 f44938 3986->3988 3987->3985 3989->3982 3994 f42c50 __initptd 3990->3994 3991 f42cab 3992 f42c8d DecodePointer 3991->3992 3997 f42cba 3991->3997 3998 f42c7c _siglookup 3992->3998 3993 f42c77 3995 f4310e __getptd_noexit 66 API calls 3993->3995 3994->3991 3994->3992 3994->3993 4000 f42c73 3994->4000 3995->3998 3999 f4348d __mtinitlocknum 66 API calls 3997->3999 4002 f42d17 3998->4002 4003 f42c85 __initptd 3998->4003 4005 f422c7 __amsg_exit 66 API calls 3998->4005 4001 f42cbf 3999->4001 4000->3993 4000->3997 4004 f42f8f _strcpy_s 11 API calls 4001->4004 4006 f42b65 __lock 66 API calls 4002->4006 4007 f42d22 4002->4007 4003->3983 4004->4003 4005->4002 4006->4007 4009 f42d57 4007->4009 4011 f42fd6 RtlEncodePointer 4007->4011 4012 f42dab 4009->4012 4011->4009 4013 f42db1 4012->4013 4014 f42db8 4012->4014 4016 f42a8c LeaveCriticalSection 4013->4016 4014->4003 4016->4014 4017 f4543a 4018 f422fb __amsg_exit 66 API calls 4017->4018 4019 f45441 4018->4019 4113 f43f86 4114 f43fc2 4113->4114 4115 f43f98 4113->4115 4115->4114 4117 f42b98 4115->4117 4118 f42ba4 __initptd 4117->4118 4119 f43187 __getptd 66 API calls 4118->4119 4120 f42ba9 4119->4120 4121 f44906 _abort 68 API calls 4120->4121 4122 f42bcb __initptd 4121->4122 4122->4114 4020 f454e0 4021 f454f2 4020->4021 4023 f45500 @_EH4_CallFilterFunc@8 4020->4023 4022 f4239a __setmbcp_nolock 5 API calls 4021->4022 4022->4023 4123 f43800 4124 f4382c 4123->4124 4125 f43839 4123->4125 4126 f4239a __setmbcp_nolock 5 API calls 4124->4126 4127 f4239a __setmbcp_nolock 5 API calls 4125->4127 4126->4125 4129 f43849 __except_handler4 __IsNonwritableInCurrentImage 4127->4129 4128 f438cc 4129->4128 4130 f438a2 __except_handler4 4129->4130 4139 f45572 RtlUnwind 4129->4139 4130->4128 4131 f438bc 4130->4131 4132 f4239a __setmbcp_nolock 5 API calls 4130->4132 4133 f4239a __setmbcp_nolock 5 API calls 4131->4133 4132->4131 4133->4128 4135 f4391e __except_handler4 4136 f43952 4135->4136 4138 f4239a __setmbcp_nolock 5 API calls 4135->4138 4137 f4239a __setmbcp_nolock 5 API calls 4136->4137 4137->4130 4138->4136 4139->4135 4140 f46400 RtlUnwind 4028 f429e1 4031 f4478c 4028->4031 4030 f429e6 4030->4030 4032 f447b1 4031->4032 4033 f447be GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 4031->4033 4032->4033 4034 f447b5 4032->4034 4033->4034 4034->4030 4035 f431a1 4037 f431ad __initptd 4035->4037 4036 f431c5 4040 f431d3 4036->4040 4042 f42772 _free 66 API calls 4036->4042 4037->4036 4038 f432af __initptd 4037->4038 4039 f42772 _free 66 API calls 4037->4039 4039->4036 4041 f431e1 4040->4041 4043 f42772 _free 66 API calls 4040->4043 4044 f431ef 4041->4044 4045 f42772 _free 66 API calls 4041->4045 4042->4040 4043->4041 4046 f431fd 4044->4046 4047 f42772 _free 66 API calls 4044->4047 4045->4044 4048 f4320b 4046->4048 4050 f42772 _free 66 API calls 4046->4050 4047->4046 4049 f43219 4048->4049 4051 f42772 _free 66 API calls 4048->4051 4052 f4322a 4049->4052 4053 f42772 _free 66 API calls 4049->4053 4050->4048 4051->4049 4054 f42b65 __lock 66 API calls 4052->4054 4053->4052 4055 f43232 4054->4055 4056 f4323e InterlockedDecrement 4055->4056 4057 f43257 4055->4057 4056->4057 4059 f43249 4056->4059 4071 f432bb 4057->4071 4059->4057 4062 f42772 _free 66 API calls 4059->4062 4061 f42b65 __lock 66 API calls 4063 f4326b 4061->4063 4062->4057 4064 f44a77 ___removelocaleref 8 API calls 4063->4064 4070 f4329c 4063->4070 4068 f43280 4064->4068 4067 f42772 _free 66 API calls 4067->4038 4069 f44b10 ___freetlocinfo 66 API calls 4068->4069 4068->4070 4069->4070 4074 f432c7 4070->4074 4077 f42a8c LeaveCriticalSection 4071->4077 4073 f43264 4073->4061 4078 f42a8c LeaveCriticalSection 4074->4078 4076 f432a9 4076->4067 4077->4073 4078->4076 4079 f429a3 4082 f43fd6 4079->4082 4083 f4310e __getptd_noexit 66 API calls 4082->4083 4084 f429b4 4083->4084 4085 f4186c 4086 f41205 Mailbox _lclose 4085->4086 4087 f41877 ctype 4086->4087 4141 f43fc8 SetUnhandledExceptionFilter

                                                                                                                              Executed Functions

                                                                                                                              Function 00F4188B Relevance: 68.5, APIs: 30, Strings: 9, Instructions: 213stringfileCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              C-Code - Quality: 98%
                                                                                                                              			E00F4188B(CHAR* __ecx) {
				signed int _v8;
				char _v266;
				char _v267;
				char _v268;
				char _v528;
				char _v788;
				char _v1048;
				char _v1049;
				char _v1050;
				char _v1051;
				char _v1052;
				signed int _v1056;
				CHAR* _v1060;
				signed int _v1064;
				long _v1068;
				intOrPtr _v1072;
				long _v1076;
				long _v1080;
				long _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t77;
				int _t85;
				long _t99;
				int _t112;
				int _t114;
				int _t135;
				signed int _t142;
				signed int _t143;
				CHAR* _t160;
				void* _t161;
				CHAR* _t169;
				void* _t170;
				CHAR* _t172;
				intOrPtr _t174;
				CHAR* _t177;
				signed int _t178;
				void* _t179;
				void* _t180;
				signed int _t189;

				_t77 =  *0xf4a020; // 0xc9fd8a1f
				_v8 = _t77 ^ _t178;
				_v1056 = _v1056 & 0x00000000;
				_t169 = __ecx;
				_v1060 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v1048);
				E00F42320( &_v268, 0, 0x104);
				_t180 = _t179 + 0xc;
				GetTempPathA(0x104,  &_v268);
				_t172 = _t169 + 0x1008;
				_t85 = lstrlenA(_t172);
				_t170 = lstrcpyA;
				if(_t85 > 2 && E00F41747(_t172) != 0) {
					lstrcpyA( &_v268, _t172);
				}
				_t174 =  &_v268 - 1;
				_v1072 = _t174;
				if( *((char*)(lstrlenA( &_v268) + _t174)) != 0x5c) {
					lstrcatA( &_v268, "\\");
				}
				_v1064 = _v1064 & 0x00000000;
				wsprintfA( &_v528, "%s%s_%d",  &_v268, "_ir_sf_temp", 0);
				wsprintfA( &_v788, "%s\\irsetup.exe",  &_v528);
				while(1) {
					_t180 = _t180 + 0x20;
					DeleteFileA( &_v788); // executed
					RemoveDirectoryA( &_v528); // executed
					_t99 = GetFileAttributesA( &_v528); // executed
					if(_t99 == 0xffffffff) {
						break;
					}
					_v1064 = _v1064 + 1;
					wsprintfA( &_v528, "%s%s_%d",  &_v268, "_ir_sf_temp", _v1064);
					wsprintfA( &_v788, "%s\\irsetup.exe",  &_v528);
				}
				CreateDirectoryA( &_v528, 0); // executed
				lstrcpyA( &_v268,  &_v528);
				_t112 = SetCurrentDirectoryA( &_v268); // executed
				if(_t112 == 0) {
					lstrcpyA( &_v268, "c:\\temp");
					CreateDirectoryA( &_v268, 0);
				}
				_t114 = SetCurrentDirectoryA( &_v268);
				_t177 = _v1060;
				if(_t114 == 0) {
					lstrcpyA( &(_t177[8]), "Could not determine a temp directory name.  Try running setup.exe /T:<Path>");
					_v1056 = 0x38;
				}
				if( *((char*)(lstrlenA( &_v268) + _v1072)) != 0x5c) {
					lstrcatA( &_v268, "\\");
				}
				_t160 =  &(_t177[0x1224]);
				lstrcpyA(_t160,  &_v268);
				lstrcpyA( &(_t177[0x1328]),  &_v268);
				_t161 = lstrcatA;
				lstrcatA(_t160, "irsetup.exe");
				lstrcpyA( &(_t177[0x142c]),  &_v268);
				lstrcatA( &(_t177[0x142c]), "lua5.1.dll");
				_v1052 = _v268;
				_v1051 = _v267;
				_v1050 = _v266;
				_v1049 = 0;
				_t135 = GetDiskFreeSpaceA( &_v1052,  &_v1080,  &_v1068,  &_v1076,  &_v1084); // executed
				if(_t135 == 0) {
					L18:
					lstrcpyA(_t177, "You must have at least 2MB of free space on your TEMP drive!");
					_v1056 = 0x39;
				} else {
					_t142 = _v1080 * _v1068;
					_t168 = _t142 * _v1076 >> 0x20;
					_t143 = _t142 * _v1076;
					_t189 = _t142 * _v1076 >> 0x20;
					if(_t189 <= 0 && (_t189 < 0 || _t143 < 0x1e8480)) {
						goto L18;
					}
				}
				SetCurrentDirectoryA( &_v1048); // executed
				return E00F4239A(_v1056, _t161, _v8 ^ _t178, _t168, _t170, _t177);
			}












































                                                                                                                              0x00f41894
                                                                                                                              0x00f4189b
                                                                                                                              0x00f4189e
                                                                                                                              0x00f418af
                                                                                                                              0x00f418b7
                                                                                                                              0x00f418bd
                                                                                                                              0x00f418cd
                                                                                                                              0x00f418d2
                                                                                                                              0x00f418dd
                                                                                                                              0x00f418e9
                                                                                                                              0x00f418f0
                                                                                                                              0x00f418f2
                                                                                                                              0x00f418fb
                                                                                                                              0x00f41915
                                                                                                                              0x00f41915
                                                                                                                              0x00f41923
                                                                                                                              0x00f41925
                                                                                                                              0x00f41931
                                                                                                                              0x00f4193f
                                                                                                                              0x00f4193f
                                                                                                                              0x00f4194b
                                                                                                                              0x00f4196c
                                                                                                                              0x00f41981
                                                                                                                              0x00f419c6
                                                                                                                              0x00f419c6
                                                                                                                              0x00f419d0
                                                                                                                              0x00f419d9
                                                                                                                              0x00f419e6
                                                                                                                              0x00f419ef
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f4198b
                                                                                                                              0x00f419af
                                                                                                                              0x00f419c4
                                                                                                                              0x00f419c4
                                                                                                                              0x00f41a00
                                                                                                                              0x00f41a10
                                                                                                                              0x00f41a1f
                                                                                                                              0x00f41a23
                                                                                                                              0x00f41a31
                                                                                                                              0x00f41a3c
                                                                                                                              0x00f41a3c
                                                                                                                              0x00f41a45
                                                                                                                              0x00f41a47
                                                                                                                              0x00f41a4f
                                                                                                                              0x00f41a5a
                                                                                                                              0x00f41a5c
                                                                                                                              0x00f41a5c
                                                                                                                              0x00f41a7d
                                                                                                                              0x00f41a8b
                                                                                                                              0x00f41a8b
                                                                                                                              0x00f41a98
                                                                                                                              0x00f41a9f
                                                                                                                              0x00f41aaf
                                                                                                                              0x00f41ab7
                                                                                                                              0x00f41abd
                                                                                                                              0x00f41acd
                                                                                                                              0x00f41adb
                                                                                                                              0x00f41ae3
                                                                                                                              0x00f41aef
                                                                                                                              0x00f41afb
                                                                                                                              0x00f41b24
                                                                                                                              0x00f41b2b
                                                                                                                              0x00f41b33
                                                                                                                              0x00f41b55
                                                                                                                              0x00f41b5e
                                                                                                                              0x00f41b60
                                                                                                                              0x00f41b35
                                                                                                                              0x00f41b3b
                                                                                                                              0x00f41b42
                                                                                                                              0x00f41b42
                                                                                                                              0x00f41b48
                                                                                                                              0x00f41b4a
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f41b4a
                                                                                                                              0x00f41b71
                                                                                                                              0x00f41b8b

                                                                                                                              APIs
                                                                                                                              • GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,?,00000000), ref: 00F418BD
                                                                                                                              • GetTempPathA.KERNEL32(00000104,?), ref: 00F418DD
                                                                                                                              • lstrlenA.KERNEL32(?), ref: 00F418F0
                                                                                                                              • lstrcpyA.KERNEL32(?,?,?), ref: 00F41915
                                                                                                                              • lstrlenA.KERNEL32(?), ref: 00F4192B
                                                                                                                              • lstrcatA.KERNEL32(?,00F47380), ref: 00F4193F
                                                                                                                              • wsprintfA.USER32 ref: 00F4196C
                                                                                                                              • wsprintfA.USER32 ref: 00F41981
                                                                                                                              • wsprintfA.USER32 ref: 00F419AF
                                                                                                                              • wsprintfA.USER32 ref: 00F419C4
                                                                                                                              • DeleteFileA.KERNELBASE(?), ref: 00F419D0
                                                                                                                              • RemoveDirectoryA.KERNELBASE(?), ref: 00F419D9
                                                                                                                              • GetFileAttributesA.KERNELBASE(?), ref: 00F419E6
                                                                                                                              • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00F41A00
                                                                                                                              • lstrcpyA.KERNEL32(?,?), ref: 00F41A10
                                                                                                                              • SetCurrentDirectoryA.KERNELBASE(?), ref: 00F41A1F
                                                                                                                              • lstrcpyA.KERNEL32(?,c:\temp), ref: 00F41A31
                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 00F41A3C
                                                                                                                              • SetCurrentDirectoryA.KERNEL32(?), ref: 00F41A45
                                                                                                                              • lstrcpyA.KERNEL32(?,Could not determine a temp directory name. Try running setup.exe /T:<Path>), ref: 00F41A5A
                                                                                                                              • lstrlenA.KERNEL32(?), ref: 00F41A6D
                                                                                                                              • lstrcatA.KERNEL32(?,00F47380), ref: 00F41A8B
                                                                                                                              • lstrcpyA.KERNEL32(?,?), ref: 00F41A9F
                                                                                                                              • lstrcpyA.KERNEL32(?,?), ref: 00F41AAF
                                                                                                                                • Part of subcall function 00F41747: lstrlenA.KERNEL32(00F41909,74CF8170,?,74CB6980), ref: 00F41771
                                                                                                                                • Part of subcall function 00F41747: lstrcatA.KERNEL32(00F41909,00F47380), ref: 00F41780
                                                                                                                                • Part of subcall function 00F41747: lstrlenA.KERNEL32(00F41909), ref: 00F41787
                                                                                                                                • Part of subcall function 00F41747: SetCurrentDirectoryA.KERNEL32(?), ref: 00F417DF
                                                                                                                                • Part of subcall function 00F41747: CreateDirectoryA.KERNEL32(?,00000000), ref: 00F417F1
                                                                                                                              • lstrcatA.KERNEL32(?,irsetup.exe), ref: 00F41ABD
                                                                                                                              • lstrcpyA.KERNEL32(?,?), ref: 00F41ACD
                                                                                                                              • lstrcatA.KERNEL32(?,lua5.1.dll), ref: 00F41ADB
                                                                                                                              • GetDiskFreeSpaceA.KERNELBASE(?,?,?,?,?), ref: 00F41B2B
                                                                                                                              • lstrcpyA.KERNEL32(?,You must have at least 2MB of free space on your TEMP drive!), ref: 00F41B5E
                                                                                                                              • SetCurrentDirectoryA.KERNELBASE(?), ref: 00F41B71
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Directory$lstrcpy$Currentlstrcatlstrlen$wsprintf$Create$File$AttributesDeleteDiskFreePathRemoveSpaceTemp
                                                                                                                              • String ID: %s%s_%d$%s\irsetup.exe$9$Could not determine a temp directory name. Try running setup.exe /T:<Path>$You must have at least 2MB of free space on your TEMP drive!$_ir_sf_temp$c:\temp$irsetup.exe$lua5.1.dll
                                                                                                                              • API String ID: 597744483-2787291893
                                                                                                                              • Opcode ID: 29f67194f9175163e84d2c76a470be449c910bea41cf768c3c75d3ab32808392
                                                                                                                              • Instruction ID: fdba9e2a40074161c43b1f680e5c75d7bf3ed5b7261f5620ebb9f42f8fb2573e
                                                                                                                              • Opcode Fuzzy Hash: 29f67194f9175163e84d2c76a470be449c910bea41cf768c3c75d3ab32808392
                                                                                                                              • Instruction Fuzzy Hash: 7B8123B6D0531C9ACB21EB64CC84FDABBBCAB59300F4044D5EA49E3151DB74ABC89F64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F41000 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 127stringwindowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 135 f41000-f41064 call f423b0 LoadCursorA SetCursor call f411a3 call f42320 lstrlenA 142 f41074-f41097 call f42320 135->142 143 f41066-f4106e lstrcpyA 135->143 146 f41151-f41164 call f41f7a 142->146 147 f4109d-f4109f 142->147 143->142 157 f41185-f411a0 call f41205 call f4239a 146->157 158 f41166-f4116d 146->158 148 f410a0-f410bc lstrcpyA 147->148 150 f41120-f4113c CompareStringA 148->150 151 f410be-f410c6 148->151 153 f41144-f4114b 150->153 154 f4113e 150->154 155 f410c8-f410ca 151->155 156 f410ea-f410f6 lstrlenA 151->156 153->146 153->148 154->153 159 f410d4-f410e0 lstrlenA 155->159 160 f410cc-f410ce 155->160 156->150 163 f410f8-f410ff 156->163 158->157 161 f4116f-f4117f MessageBoxA 158->161 159->150 166 f410e2-f410e8 159->166 160->156 165 f410d0-f410d2 160->165 161->157 163->150 164 f41101-f41104 163->164 164->150 168 f41106-f4111d call f423e0 164->168 165->150 165->159 166->150 168->150
                                                                                                                              C-Code - Quality: 97%
                                                                                                                              			E00F41000(void* __edx, void* __eflags, CHAR* _a12) {
				signed int _v8;
				char _v265;
				char _v266;
				intOrPtr _v267;
				char _v268;
				intOrPtr _v1356;
				int _v1360;
				char _v1620;
				char _v3668;
				char _v5716;
				char _v5724;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				intOrPtr _t45;
				int _t49;
				intOrPtr _t50;
				int _t52;
				void* _t62;
				void* _t68;
				CHAR* _t69;
				signed int _t70;
				signed int _t75;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t81;
				void* _t90;

				_t68 = __edx;
				E00F423B0(0x1658);
				_t28 =  *0xf4a020; // 0xc9fd8a1f
				_v8 = _t28 ^ _t75;
				_t69 = _a12;
				 *0xf4ab80 = 0;
				SetCursor(LoadCursorA(0, 0x7f02));
				E00F411A3( &_v5724);
				E00F42320( &_v3668, 0, 0x800);
				_t62 = lstrlenA;
				_t77 = _t76 + 0xc;
				if(lstrlenA(_t69) < 0x800) {
					lstrcpyA( &_v3668, _t69);
				}
				_t70 = 0;
				_v1360 = 0;
				E00F42320( &_v1620, 0, 0x104);
				_t78 = _t77 + 0xc;
				_t81 =  *0xf4ab88 - _t70; // 0x1
				if(_t81 <= 0) {
					L18:
					_t21 = E00F41F7A( &_v5724, _t68, _t90) - 0x32; // -50
					if(_t21 <= 0x31 && _v1356 == 0) {
						MessageBoxA(0,  &_v5716, "Launcher Error", 0x10);
					}
					E00F41205( &_v5724);
					return E00F4239A(_t72, _t62, _v8 ^ _t75, _t68, _t70, _t72);
				} else {
					do {
						_t45 =  *0xf4ab8c; // 0xd61830
						lstrcpyA( &_v268,  *(_t45 + _t70 * 4));
						if(_v268 != 0x2f) {
							goto L15;
						}
						_t50 = _v267;
						if(_t50 == 0x54) {
							L11:
							_t52 = lstrlenA( &_v268);
							__eflags = _t52 - 3;
							if(__eflags > 0) {
								__eflags = _v266 - 0x3a;
								if(__eflags == 0) {
									__eflags = _t52 - 3;
									if(__eflags > 0) {
										__eflags = _t52 + 0xfffffffd;
										E00F423E0( &_v1620,  &_v265, _t52 + 0xfffffffd);
										_t78 = _t78 + 0xc;
									}
								}
							}
							goto L15;
						}
						if(_t50 == 0x57) {
							L9:
							if(lstrlenA( &_v268) == 2) {
								_v1360 = 1;
							}
							goto L15;
						}
						if(_t50 == 0x74) {
							goto L11;
						}
						if(_t50 != 0x77) {
							goto L15;
						}
						goto L9;
						L15:
						_t49 = CompareStringA(0x7f, 1,  &_v268, 0xffffffff, "/~DBG", 0xffffffff); // executed
						if(_t49 == 2) {
							 *0xf4ab80 = 1;
						}
						_t70 = _t70 + 1;
						_t90 = _t70 -  *0xf4ab88; // 0x1
					} while (_t90 < 0);
					goto L18;
				}
			}
































                                                                                                                              0x00f41000
                                                                                                                              0x00f41008
                                                                                                                              0x00f4100d
                                                                                                                              0x00f41014
                                                                                                                              0x00f4101a
                                                                                                                              0x00f41025
                                                                                                                              0x00f41032
                                                                                                                              0x00f4103e
                                                                                                                              0x00f41051
                                                                                                                              0x00f41056
                                                                                                                              0x00f4105c
                                                                                                                              0x00f41064
                                                                                                                              0x00f4106e
                                                                                                                              0x00f4106e
                                                                                                                              0x00f41074
                                                                                                                              0x00f41083
                                                                                                                              0x00f41089
                                                                                                                              0x00f4108e
                                                                                                                              0x00f41091
                                                                                                                              0x00f41097
                                                                                                                              0x00f41151
                                                                                                                              0x00f4115e
                                                                                                                              0x00f41164
                                                                                                                              0x00f4117f
                                                                                                                              0x00f4117f
                                                                                                                              0x00f4118b
                                                                                                                              0x00f411a0
                                                                                                                              0x00f4109d
                                                                                                                              0x00f410a0
                                                                                                                              0x00f410a0
                                                                                                                              0x00f410af
                                                                                                                              0x00f410bc
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f410be
                                                                                                                              0x00f410c6
                                                                                                                              0x00f410ea
                                                                                                                              0x00f410f1
                                                                                                                              0x00f410f3
                                                                                                                              0x00f410f6
                                                                                                                              0x00f410f8
                                                                                                                              0x00f410ff
                                                                                                                              0x00f41101
                                                                                                                              0x00f41104
                                                                                                                              0x00f41106
                                                                                                                              0x00f41118
                                                                                                                              0x00f4111d
                                                                                                                              0x00f4111d
                                                                                                                              0x00f41104
                                                                                                                              0x00f410ff
                                                                                                                              0x00000000
                                                                                                                              0x00f410f6
                                                                                                                              0x00f410ca
                                                                                                                              0x00f410d4
                                                                                                                              0x00f410e0
                                                                                                                              0x00f410e2
                                                                                                                              0x00f410e2
                                                                                                                              0x00000000
                                                                                                                              0x00f410e0
                                                                                                                              0x00f410ce
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f410d2
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f41120
                                                                                                                              0x00f41133
                                                                                                                              0x00f4113c
                                                                                                                              0x00f4113e
                                                                                                                              0x00f4113e
                                                                                                                              0x00f41144
                                                                                                                              0x00f41145
                                                                                                                              0x00f41145
                                                                                                                              0x00000000
                                                                                                                              0x00f410a0

                                                                                                                              APIs
                                                                                                                              • LoadCursorA.USER32 ref: 00F4102B
                                                                                                                              • SetCursor.USER32(00000000), ref: 00F41032
                                                                                                                              • lstrlenA.KERNEL32(?), ref: 00F41060
                                                                                                                              • lstrcpyA.KERNEL32(?,?), ref: 00F4106E
                                                                                                                              • lstrcpyA.KERNEL32(?,00D61830), ref: 00F410AF
                                                                                                                              • lstrlenA.KERNEL32(0000002F), ref: 00F410DB
                                                                                                                              • lstrlenA.KERNEL32(0000002F), ref: 00F410F1
                                                                                                                              • _memmove.LIBCMT ref: 00F41118
                                                                                                                              • CompareStringA.KERNELBASE(0000007F,00000001,0000002F,000000FF,/~DBG,000000FF), ref: 00F41133
                                                                                                                              • MessageBoxA.USER32 ref: 00F4117F
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lstrlen$Cursorlstrcpy$CompareLoadMessageString_memmove
                                                                                                                              • String ID: /$/~DBG$:$Launcher Error
                                                                                                                              • API String ID: 1772744953-896055402
                                                                                                                              • Opcode ID: 747436c40a55e8e75ce01c2a853fb1fc9b471794d605c76ca6eb06bb6ba24403
                                                                                                                              • Instruction ID: 14ad7eb6c9e41635560a328eb63a759039a6354610e4ff483fcbf1b91d673322
                                                                                                                              • Opcode Fuzzy Hash: 747436c40a55e8e75ce01c2a853fb1fc9b471794d605c76ca6eb06bb6ba24403
                                                                                                                              • Instruction Fuzzy Hash: E241E275C0421C9BDB20DBA8DC44AEF7B7DBBA2364F4001A5F945E2141C7789EC5AF51
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F41B8C Relevance: 72.0, APIs: 32, Strings: 9, Instructions: 270stringwindowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              C-Code - Quality: 91%
                                                                                                                              			E00F41B8C(CHAR* __ecx, void* __edx) {
				signed int _v8;
				char _v300;
				struct HWND__* _v304;
				void* _v308;
				void* _v312;
				long _v316;
				struct _SHELLEXECUTEINFOA _v376;
				struct tagMSG _v404;
				void* _v416;
				char _v420;
				struct HWND__* _v436;
				short _v438;
				struct HWND__* _v444;
				struct HWND__* _v480;
				void* _v484;
				char _v488;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t90;
				int _t103;
				int _t138;
				struct HWND__* _t141;
				void* _t158;
				int _t159;
				CHAR* _t172;
				void* _t181;
				intOrPtr _t183;
				void* _t184;
				CHAR* _t186;
				void* _t188;
				long _t189;
				signed int _t192;
				void* _t193;
				void* _t194;
				void* _t197;
				intOrPtr _t205;

				_t181 = __edx;
				_t90 =  *0xf4a020; // 0xc9fd8a1f
				_v8 = _t90 ^ _t192;
				_t172 = __ecx;
				_v488 = 0;
				E00F42320( &_v484, 0, 0x40);
				_v420 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t183 = 0x44;
				E00F42320( &_v488, 0, _t183);
				E00F42320( &_v420, 0, 0x10);
				_push(_t172[0x153c]);
				_v438 = 0;
				_v488 = _t183;
				_t184 = wsprintfA;
				_v484 = 0;
				_v436 = 0;
				_v480 = 0;
				_v444 = 0;
				wsprintfA( &_v300, "__IRAOFF:%I64u", _t172[0x1538]);
				_t194 = _t193 + 0x34;
				_t103 = lstrlenA( &(_t172[0x808]));
				_t188 = lstrcatA;
				if(_t103 != 0) {
					lstrcatA( &(_t172[0x808]), " ");
				}
				lstrcatA( &(_t172[0x808]),  &_v300);
				wsprintfA( &_v300, "\"__IRAFN:%s\"",  &(_t172[0x1120]));
				lstrcatA( &(_t172[0x808]), " ");
				lstrcatA( &(_t172[0x808]),  &_v300);
				wsprintfA( &_v300, "\"__IRCT:%d\"", _t172[0x1114] & 0x000000ff);
				lstrcatA( &(_t172[0x808]), " ");
				lstrcatA( &(_t172[0x808]),  &_v300);
				_push(_t172[0x111c]);
				wsprintfA( &_v300, "\"__IRTSS:%I64u\"", _t172[0x1118]);
				_t197 = _t194 + 0x28;
				lstrcatA( &(_t172[0x808]), " ");
				lstrcatA( &(_t172[0x808]),  &_v300);
				_v308 = _v308 & 0x00000000;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v308) != 0) {
					_v316 = _v316 & 0x00000000;
					_t158 = E00F427AC(_t181, _t184, _t188, 0x4000);
					_v312 = _t158;
					if(_t158 != 0) {
						_t159 = GetTokenInformation(_v308, 1, _t158, 0x4000,  &_v316); // executed
						if(_t159 != 0) {
							_v304 = _v304 & 0x00000000;
							if(E00F41821( *_v312,  &_v304) != 0 && _v304 != 0) {
								wsprintfA( &_v300, "\"__IRSID:%s\"", _v304);
								_t197 = _t197 + 0xc;
								_t186 =  &(_t172[0x808]);
								lstrcatA(_t186, " ");
								lstrcatA(_t186,  &_v300);
								LocalFree(_v304);
							}
							E00F42772(_v312);
						}
					}
				}
				_t205 =  *0xf4ab80; // 0x0
				if(_t205 != 0) {
					MessageBoxA(0,  &(_t172[0x808]),  &(_t172[0x1224]), 0);
				}
				_t189 = 0x3c;
				E00F42320( &_v376, 0, _t189);
				_v376.lpFile =  &(_t172[0x1224]);
				_v376.cbSize = _t189;
				_v376.lpParameters =  &(_t172[0x808]);
				_v376.fMask = 0x40;
				_v376.hwnd = 0;
				_v376.lpVerb = "open";
				_v376.lpDirectory = 0;
				_v376.nShow = 1;
				_v376.hInstApp = 0;
				_t138 = ShellExecuteExA( &_v376); // executed
				if(_t138 != 0) {
					if(_t172[0x110c] == 0) {
						L22:
						GetExitCodeProcess(_v376.hProcess,  &(_t172[0x1548])); // executed
						_t141 = _t172[0x1548];
						_v304 = _t141;
						_t172[0x1110] = 1;
						if(_t141 == 0x103 && _t172[0x110c] == 0) {
							_v304 = 0;
						}
						CloseHandle(_v376.hProcess);
						goto L26;
					}
					while(MsgWaitForMultipleObjects(1,  &(_v376.hProcess), 0, 0xffffffff, 0xff) == 1) {
						while(PeekMessageA( &_v404, 0, 0, 0, 1) > 0) {
							if(_v404.message == 0xf || _v404.message == 0x200) {
								TranslateMessage( &_v404);
								DispatchMessageA( &_v404);
							}
						}
					}
					goto L22;
				} else {
					if(GetLastError() == 0x4c7) {
						_v304 = 5;
					} else {
						lstrcpyA(_t172, "Could not start the setup");
						_v304 = 0x37;
					}
					L26:
					return E00F4239A(_v304, _t172, _v8 ^ _t192, _t181, 0, 1);
				}
			}








































                                                                                                                              0x00f41b8c
                                                                                                                              0x00f41b95
                                                                                                                              0x00f41b9c
                                                                                                                              0x00f41bae
                                                                                                                              0x00f41bb0
                                                                                                                              0x00f41bb6
                                                                                                                              0x00f41bbd
                                                                                                                              0x00f41bc9
                                                                                                                              0x00f41bca
                                                                                                                              0x00f41bcd
                                                                                                                              0x00f41bce
                                                                                                                              0x00f41bd8
                                                                                                                              0x00f41be7
                                                                                                                              0x00f41bec
                                                                                                                              0x00f41bfa
                                                                                                                              0x00f41c07
                                                                                                                              0x00f41c0d
                                                                                                                              0x00f41c19
                                                                                                                              0x00f41c1f
                                                                                                                              0x00f41c25
                                                                                                                              0x00f41c2b
                                                                                                                              0x00f41c31
                                                                                                                              0x00f41c33
                                                                                                                              0x00f41c3d
                                                                                                                              0x00f41c43
                                                                                                                              0x00f41c4b
                                                                                                                              0x00f41c59
                                                                                                                              0x00f41c59
                                                                                                                              0x00f41c69
                                                                                                                              0x00f41c7e
                                                                                                                              0x00f41c8f
                                                                                                                              0x00f41c9f
                                                                                                                              0x00f41cb5
                                                                                                                              0x00f41cc6
                                                                                                                              0x00f41cd6
                                                                                                                              0x00f41cd8
                                                                                                                              0x00f41cf0
                                                                                                                              0x00f41cf2
                                                                                                                              0x00f41d01
                                                                                                                              0x00f41d11
                                                                                                                              0x00f41d13
                                                                                                                              0x00f41d32
                                                                                                                              0x00f41d38
                                                                                                                              0x00f41d44
                                                                                                                              0x00f41d4a
                                                                                                                              0x00f41d52
                                                                                                                              0x00f41d6d
                                                                                                                              0x00f41d75
                                                                                                                              0x00f41d77
                                                                                                                              0x00f41d96
                                                                                                                              0x00f41db3
                                                                                                                              0x00f41db5
                                                                                                                              0x00f41dbd
                                                                                                                              0x00f41dc4
                                                                                                                              0x00f41dce
                                                                                                                              0x00f41dd6
                                                                                                                              0x00f41dd6
                                                                                                                              0x00f41de2
                                                                                                                              0x00f41de7
                                                                                                                              0x00f41d75
                                                                                                                              0x00f41d52
                                                                                                                              0x00f41dea
                                                                                                                              0x00f41df0
                                                                                                                              0x00f41e02
                                                                                                                              0x00f41e02
                                                                                                                              0x00f41e0a
                                                                                                                              0x00f41e15
                                                                                                                              0x00f41e20
                                                                                                                              0x00f41e26
                                                                                                                              0x00f41e32
                                                                                                                              0x00f41e47
                                                                                                                              0x00f41e51
                                                                                                                              0x00f41e57
                                                                                                                              0x00f41e61
                                                                                                                              0x00f41e67
                                                                                                                              0x00f41e6d
                                                                                                                              0x00f41e73
                                                                                                                              0x00f41e7b
                                                                                                                              0x00f41ebd
                                                                                                                              0x00f41f1f
                                                                                                                              0x00f41f2c
                                                                                                                              0x00f41f32
                                                                                                                              0x00f41f38
                                                                                                                              0x00f41f3e
                                                                                                                              0x00f41f49
                                                                                                                              0x00f41f53
                                                                                                                              0x00f41f53
                                                                                                                              0x00f41f5f
                                                                                                                              0x00000000
                                                                                                                              0x00f41f5f
                                                                                                                              0x00f41f05
                                                                                                                              0x00f41ef0
                                                                                                                              0x00f41ec8
                                                                                                                              0x00f41edd
                                                                                                                              0x00f41eea
                                                                                                                              0x00f41eea
                                                                                                                              0x00f41ec8
                                                                                                                              0x00f41ef0
                                                                                                                              0x00000000
                                                                                                                              0x00f41e7d
                                                                                                                              0x00f41e88
                                                                                                                              0x00f41ea8
                                                                                                                              0x00f41e8a
                                                                                                                              0x00f41e93
                                                                                                                              0x00f41e99
                                                                                                                              0x00f41e99
                                                                                                                              0x00f41f65
                                                                                                                              0x00f41f79
                                                                                                                              0x00f41f79

                                                                                                                              APIs
                                                                                                                              • wsprintfA.USER32 ref: 00F41C31
                                                                                                                              • lstrlenA.KERNEL32(?), ref: 00F41C3D
                                                                                                                              • lstrcatA.KERNEL32(?,00F474E0), ref: 00F41C59
                                                                                                                              • lstrcatA.KERNEL32(?,?), ref: 00F41C69
                                                                                                                              • wsprintfA.USER32 ref: 00F41C7E
                                                                                                                              • lstrcatA.KERNEL32(?,00F474E0), ref: 00F41C8F
                                                                                                                              • lstrcatA.KERNEL32(?,?), ref: 00F41C9F
                                                                                                                              • wsprintfA.USER32 ref: 00F41CB5
                                                                                                                              • lstrcatA.KERNEL32(?,00F474E0), ref: 00F41CC6
                                                                                                                              • lstrcatA.KERNEL32(?,?), ref: 00F41CD6
                                                                                                                              • wsprintfA.USER32 ref: 00F41CF0
                                                                                                                              • lstrcatA.KERNEL32(?,00F474E0), ref: 00F41D01
                                                                                                                              • lstrcatA.KERNEL32(?,?), ref: 00F41D11
                                                                                                                              • GetCurrentProcess.KERNEL32(00000008,00000000), ref: 00F41D23
                                                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00F41D2A
                                                                                                                              • _malloc.LIBCMT ref: 00F41D44
                                                                                                                              • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00004000,00000000), ref: 00F41D6D
                                                                                                                              • wsprintfA.USER32 ref: 00F41DB3
                                                                                                                              • lstrcatA.KERNEL32(?,00F474E0), ref: 00F41DC4
                                                                                                                              • lstrcatA.KERNEL32(?,?), ref: 00F41DCE
                                                                                                                              • LocalFree.KERNEL32(00000000), ref: 00F41DD6
                                                                                                                              • _free.LIBCMT ref: 00F41DE2
                                                                                                                                • Part of subcall function 00F42772: RtlFreeHeap.NTDLL(00000000,00000000,?,00F43178,00000000), ref: 00F42788
                                                                                                                                • Part of subcall function 00F42772: GetLastError.KERNEL32(00000000,?,00F43178,00000000), ref: 00F4279A
                                                                                                                              • MessageBoxA.USER32 ref: 00F41E02
                                                                                                                              • ShellExecuteExA.SHELL32(?), ref: 00F41E73
                                                                                                                              • GetLastError.KERNEL32 ref: 00F41E7D
                                                                                                                              • lstrcpyA.KERNEL32(?,Could not start the setup), ref: 00F41E93
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lstrcat$wsprintf$ErrorFreeLastProcessToken$CurrentExecuteHeapInformationLocalMessageOpenShell_free_malloclstrcpylstrlen
                                                                                                                              • String ID: "__IRAFN:%s"$"__IRCT:%d"$"__IRSID:%s"$"__IRTSS:%I64u"$7$@$Could not start the setup$__IRAOFF:%I64u$open
                                                                                                                              • API String ID: 2145089835-2339310841
                                                                                                                              • Opcode ID: 117b68cd5443a05bf2ecd19ec951a7eb4733e94c7d1a83673e02b24668d87e52
                                                                                                                              • Instruction ID: ced285c80b294ae2d2f6a26cedd04eac718fc38cbb845f93132ad4a264120a10
                                                                                                                              • Opcode Fuzzy Hash: 117b68cd5443a05bf2ecd19ec951a7eb4733e94c7d1a83673e02b24668d87e52
                                                                                                                              • Instruction Fuzzy Hash: C0B13C75900228ABDB61EF64DC44BDA7BBCFF49710F0000E6EE49E6151DB349A88DFA0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F41233 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 184stringCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 69 f41233-f41263 _lopen 70 f41265-f4127b lstrcpyA 69->70 71 f41280-f4128f call f427ac 69->71 72 f414bf-f414cd call f42772 70->72 76 f41291-f412a7 lstrcpyA 71->76 77 f412ac-f412ba _llseek 71->77 76->72 79 f412bc-f412c3 77->79 80 f413a7 79->80 81 f412c9-f412df _lread 79->81 82 f413ac-f413bd lstrcpyA 80->82 83 f412e1-f412e9 81->83 84 f4135d-f41360 81->84 82->72 85 f41358-f4135b 83->85 86 f412eb-f412ed 83->86 84->79 85->83 85->84 86->85 87 f412ef-f412f4 86->87 87->85 88 f412f6-f412fb 87->88 88->85 89 f412fd-f41302 88->89 89->85 90 f41304-f41309 89->90 90->85 91 f4130b-f41310 90->91 91->85 92 f41312-f41317 91->92 92->85 93 f41319-f4131e 92->93 93->85 94 f41320-f41325 93->94 94->85 95 f41327-f4132c 94->95 95->85 96 f4132e-f41333 95->96 96->85 97 f41335-f4133a 96->97 97->85 98 f4133c-f41341 97->98 98->85 99 f41343-f41348 98->99 99->85 100 f4134a-f4134f 99->100 100->85 101 f41351-f41356 100->101 101->85 102 f41365-f4139e _llseek _lread 101->102 103 f413a0-f413a5 102->103 104 f413c2-f413d3 102->104 103->82 105 f413d5 104->105 106 f413db-f4140a _llseek _lread 104->106 105->106 107 f41413-f41455 _llseek _lread 106->107 108 f4140c-f41411 106->108 109 f41457-f4145c 107->109 110 f41461-f41497 _llseek _lread 107->110 108->82 109->82 111 f414b1-f414b8 110->111 112 f41499-f414af lstrcpyA 110->112 111->72 112->72
                                                                                                                              C-Code - Quality: 77%
                                                                                                                              			E00F41233(void* __ecx) {
				void _v5;
				int _v12;
				long _v16;
				void* __edi;
				void* __esi;
				int _t81;
				void* _t82;
				int _t87;
				int _t91;
				int _t103;
				intOrPtr* _t104;
				void* _t107;
				void* _t108;
				void* _t113;
				long _t114;
				void* _t115;
				void* _t116;
				void* _t118;

				_t118 = __ecx;
				_t117 = 0;
				_v12 = 0;
				_v16 = 0x7d00;
				_t81 = _lopen(__ecx + 0x1120, 0); // executed
				_t103 = _t81;
				 *(_t118 + 0x1530) = _t103;
				if(_t103 != 0xffffffff) {
					_t82 = E00F427AC(_t115, 0, _t118, 0x1f400); // executed
					_t117 = _t82;
					if(_t117 != 0) {
						_t104 = _llseek; // executed
						_llseek(_t103, 0x7d00, 0); // executed
						while(_v16 < 0xa00000) {
							_t87 = _lread( *(_t118 + 0x1530), _t117, 0x1f400); // executed
							_t113 = 0;
							if(_t87 == 0) {
								L25:
								_v16 = _v16 + _t87;
								continue;
							} else {
								goto L7;
							}
							while(1) {
								L7:
								_t9 = _t113 + 0xf; // 0xf
								_t116 = _t9;
								if( *((char*)(_t117 + _t116 - 0xf)) == 0xe0 && _t116 < _t87 &&  *((char*)(_t113 + _t117 + 1)) == 0xe0 &&  *((char*)(_t113 + _t117 + 2)) == 0xe1 &&  *((char*)(_t113 + _t117 + 3)) == 0xe1 &&  *((char*)(_t113 + _t117 + 4)) == 0xe2 &&  *((char*)(_t113 + _t117 + 5)) == 0xe2 &&  *((char*)(_t113 + _t117 + 6)) == 0xe3 &&  *((char*)(_t113 + _t117 + 7)) == 0xe3 &&  *((char*)(_t113 + _t117 + 8)) == 0xe4 &&  *((char*)(_t113 + _t117 + 9)) == 0xe4 &&  *((char*)(_t113 + _t117 + 0xa)) == 0xe5 &&  *((char*)(_t113 + _t117 + 0xb)) == 0xe5 &&  *((char*)(_t113 + _t117 + 0xc)) == 0xe6 &&  *((char*)(_t113 + _t117 + 0xd)) == 0xe6 &&  *((char*)(_t113 + _t117 + 0xe)) == 0xe7 &&  *((char*)(_t113 + _t117 + 0xf)) == 0xe7) {
									break;
								}
								_t113 = _t113 + 1;
								if(_t113 < _t87) {
									continue;
								}
								goto L25;
							}
							 *(_t118 + 0x153c) =  *(_t118 + 0x153c) & 0x00000000;
							_t48 = _t113 + 0x10; // 0xa00010
							_t114 = _v16 + _t48;
							 *(_t118 + 0x1538) = _t114;
							_v5 = 0;
							 *_t104( *(_t118 + 0x1530), _t114, 0); // executed
							_t91 = _lread( *(_t118 + 0x1530),  &_v5, 1); // executed
							if(_t91 == 1) {
								 *(_t118 + 0x1538) =  *(_t118 + 0x1538) + 1;
								asm("adc dword [esi+0x153c], 0x0");
								if(_v5 == 0) {
									 *((intOrPtr*)(_t118 + 0x110c)) = 1;
								}
								_t107 = _t118 + 0x1114;
								 *_t107 = 0; // executed
								_llseek( *(_t118 + 0x1530),  *(_t118 + 0x1538), 0); // executed
								if(_lread( *(_t118 + 0x1530), _t107, 1) == 1) {
									 *(_t118 + 0x1538) =  *(_t118 + 0x1538) + 1;
									_t108 = _t118 + 0x1118;
									asm("adc dword [esi+0x153c], 0x0");
									 *_t108 = 0;
									 *((intOrPtr*)(_t108 + 4)) = 0;
									_llseek( *(_t118 + 0x1530),  *(_t118 + 0x1538), 0); // executed
									if(_lread( *(_t118 + 0x1530), _t108, 8) == 8) {
										 *(_t118 + 0x1538) =  *(_t118 + 0x1538) + 8;
										asm("adc dword [esi+0x153c], 0x0");
										_llseek( *(_t118 + 0x1530),  *(_t118 + 0x1538), 0); // executed
										if(_lread( *(_t118 + 0x1530), _t118 + 0x1540, 8) == 8) {
											 *(_t118 + 0x1538) =  *(_t118 + 0x1538) + 8;
											asm("adc dword [esi+0x153c], 0x0");
										} else {
											lstrcpyA(_t118 + 8, "Could not find setup size");
											_v12 = 0x35;
										}
										goto L39;
									}
									_push("Could not find total size indicator");
									goto L29;
								} else {
									_push("Could not find compression type indicator");
									L29:
									lstrcpyA(_t118 + 8, ??);
									_v12 = 0x34;
									L39:
									E00F42772(_t117);
									return _v12;
								}
							}
							_push("Could not find multi-segment indicator");
							goto L29;
						}
						_push("Could not find data segment");
						goto L29;
					}
					lstrcpyA(_t118 + 8, "Unable to allocate memory buffer");
					_v12 = 0x33;
					goto L39;
				}
				lstrcpyA(_t118 + 8, "Unable to open archive file");
				_v12 = 0x32;
				goto L39;
			}





















                                                                                                                              0x00f4123c
                                                                                                                              0x00f4123e
                                                                                                                              0x00f41248
                                                                                                                              0x00f4124b
                                                                                                                              0x00f41252
                                                                                                                              0x00f41258
                                                                                                                              0x00f4125a
                                                                                                                              0x00f41263
                                                                                                                              0x00f41285
                                                                                                                              0x00f4128a
                                                                                                                              0x00f4128f
                                                                                                                              0x00f412b4
                                                                                                                              0x00f412ba
                                                                                                                              0x00f412bc
                                                                                                                              0x00f412d5
                                                                                                                              0x00f412db
                                                                                                                              0x00f412df
                                                                                                                              0x00f4135d
                                                                                                                              0x00f4135d
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f412e1
                                                                                                                              0x00f412e1
                                                                                                                              0x00f412e1
                                                                                                                              0x00f412e1
                                                                                                                              0x00f412e9
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f41358
                                                                                                                              0x00f4135b
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f4135b
                                                                                                                              0x00f41368
                                                                                                                              0x00f4136f
                                                                                                                              0x00f4136f
                                                                                                                              0x00f4137c
                                                                                                                              0x00f41382
                                                                                                                              0x00f41386
                                                                                                                              0x00f41396
                                                                                                                              0x00f4139e
                                                                                                                              0x00f413c2
                                                                                                                              0x00f413c8
                                                                                                                              0x00f413d3
                                                                                                                              0x00f413d5
                                                                                                                              0x00f413d5
                                                                                                                              0x00f413e3
                                                                                                                              0x00f413ef
                                                                                                                              0x00f413f2
                                                                                                                              0x00f4140a
                                                                                                                              0x00f41413
                                                                                                                              0x00f4141a
                                                                                                                              0x00f41420
                                                                                                                              0x00f41430
                                                                                                                              0x00f41438
                                                                                                                              0x00f4143b
                                                                                                                              0x00f41455
                                                                                                                              0x00f41461
                                                                                                                              0x00f4146a
                                                                                                                              0x00f4147d
                                                                                                                              0x00f41497
                                                                                                                              0x00f414b1
                                                                                                                              0x00f414b8
                                                                                                                              0x00f41499
                                                                                                                              0x00f414a2
                                                                                                                              0x00f414a8
                                                                                                                              0x00f414a8
                                                                                                                              0x00000000
                                                                                                                              0x00f41497
                                                                                                                              0x00f41457
                                                                                                                              0x00000000
                                                                                                                              0x00f4140c
                                                                                                                              0x00f4140c
                                                                                                                              0x00f413ac
                                                                                                                              0x00f413b0
                                                                                                                              0x00f413b6
                                                                                                                              0x00f414bf
                                                                                                                              0x00f414c0
                                                                                                                              0x00f414cd
                                                                                                                              0x00f414cd
                                                                                                                              0x00f4140a
                                                                                                                              0x00f413a0
                                                                                                                              0x00000000
                                                                                                                              0x00f413a0
                                                                                                                              0x00f413a7
                                                                                                                              0x00000000
                                                                                                                              0x00f413a7
                                                                                                                              0x00f4129a
                                                                                                                              0x00f412a0
                                                                                                                              0x00000000
                                                                                                                              0x00f412a0
                                                                                                                              0x00f4126e
                                                                                                                              0x00f41274
                                                                                                                              0x00000000

                                                                                                                              APIs
                                                                                                                              • _lopen.KERNEL32(?,00000000), ref: 00F41252
                                                                                                                              • lstrcpyA.KERNEL32(?,Unable to open archive file), ref: 00F4126E
                                                                                                                              • _malloc.LIBCMT ref: 00F41285
                                                                                                                              • lstrcpyA.KERNEL32(?,Unable to allocate memory buffer), ref: 00F4129A
                                                                                                                              • _free.LIBCMT ref: 00F414C0
                                                                                                                              Strings
                                                                                                                              • Unable to open archive file, xrefs: 00F41265
                                                                                                                              • 5, xrefs: 00F414A8
                                                                                                                              • Unable to allocate memory buffer, xrefs: 00F41291
                                                                                                                              • Could not find total size indicator, xrefs: 00F41457
                                                                                                                              • Could not find setup size, xrefs: 00F41499
                                                                                                                              • Could not find multi-segment indicator, xrefs: 00F413A0
                                                                                                                              • Could not find data segment, xrefs: 00F413A7
                                                                                                                              • Could not find compression type indicator, xrefs: 00F4140C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lstrcpy$_free_lopen_malloc
                                                                                                                              • String ID: 5$Could not find compression type indicator$Could not find data segment$Could not find multi-segment indicator$Could not find setup size$Could not find total size indicator$Unable to allocate memory buffer$Unable to open archive file
                                                                                                                              • API String ID: 3261646874-2242580901
                                                                                                                              • Opcode ID: 75952cd37aed24b822759e8bf8663704e7d6c3b8243658c4675991d780776221
                                                                                                                              • Instruction ID: d2811cc32b9111707365adb03f11796627c388dfc2114cf366f3162543572861
                                                                                                                              • Opcode Fuzzy Hash: 75952cd37aed24b822759e8bf8663704e7d6c3b8243658c4675991d780776221
                                                                                                                              • Instruction Fuzzy Hash: 98713674C08B41EAEB308F348C84BE5BEA0BB52375F14879DEC7A954D1D3319589AB11
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F415E0 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 107stringCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 113 f415e0-f41622 _llseek _lread 114 f41624-f4163a lstrcpyA 113->114 115 f4163c-f41643 113->115 116 f4164a-f41658 call f427ac 114->116 115->116 119 f4165e-f41681 _llseek _lread 116->119 120 f41729-f41738 lstrcpyA 116->120 121 f41687-f4168a 119->121 122 f41708-f41717 lstrcpyA 119->122 123 f4173f-f41746 120->123 121->122 124 f4168c-f4168f 121->124 125 f4171e-f41727 call f42772 122->125 126 f416f4-f41706 124->126 127 f41691-f416a4 _lcreat 124->127 125->123 126->125 129 f416a6-f416bc lstrcpyA 127->129 130 f416be-f416d0 _lwrite 127->130 129->126 132 f416d7-f416e6 lstrcpyA 130->132 133 f416d2-f416d5 130->133 134 f416ed-f416ee _lclose 132->134 133->132 133->134 134->126
                                                                                                                              C-Code - Quality: 66%
                                                                                                                              			E00F415E0(void* __ecx) {
				int _v8;
				CHAR* _v12;
				int _v16;
				void _v20;
				void* __edi;
				void* __esi;
				int _t42;
				CHAR* _t43;
				int _t53;
				int _t54;
				intOrPtr* _t62;
				void* _t68;
				intOrPtr* _t69;
				int _t70;
				void* _t71;

				_t69 = _llseek;
				_t71 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				_llseek( *(__ecx + 0x1530),  *(__ecx + 0x1538), 0); // executed
				_t62 = _lread;
				_t42 = _lread( *(_t71 + 0x1530),  &_v20, 8); // executed
				if(_t42 == 8) {
					 *((intOrPtr*)(_t71 + 0x1538)) =  *((intOrPtr*)(_t71 + 0x1538)) + 8;
					asm("adc dword [esi+0x153c], 0x0");
				} else {
					lstrcpyA(_t71 + 8, "Could not find Lua DLL file size");
					_v8 = 0x3a;
				}
				_t43 = E00F427AC(_t68, _t69, _t71, _v20); // executed
				_v12 = _t43;
				if(_t43 == 0) {
					lstrcpyA(_t71 + 8, "Failed to alloc memory.");
					_v8 = 0x36;
				} else {
					 *_t69( *(_t71 + 0x1530),  *((intOrPtr*)(_t71 + 0x1538)), 0); // executed
					_push(_v20);
					_push(_v12);
					_push( *(_t71 + 0x1530));
					if( *_t62() != _v20 || 0 != _v16) {
						lstrcpyA(_t71 + 8, "Failed to read Lua DLL");
						_v8 = 0x36;
					} else {
						if(_v8 == 0) {
							_t53 = _lcreat(_t71 + 0x142c, 0); // executed
							_t70 = _t53;
							if(_t70 != 0xffffffff) {
								_t54 = _lwrite(_t70, _v12, _v20); // executed
								if(_t54 != _v20 || 0 != _v16) {
									lstrcpyA(_t71 + 8, "Unable to write to Lua file.");
									_v8 = 0x37;
								}
								_lclose(_t70); // executed
							} else {
								lstrcpyA(_t71 + 8, "Unable to open Lua DLL file");
								_v8 = 0x37;
							}
						}
						 *((intOrPtr*)(_t71 + 0x1538)) =  *((intOrPtr*)(_t71 + 0x1538)) + _v20;
						asm("adc [esi+0x153c], eax");
					}
					E00F42772(_v12);
				}
				return _v8;
			}


















                                                                                                                              0x00f415e9
                                                                                                                              0x00f415f1
                                                                                                                              0x00f415fa
                                                                                                                              0x00f41603
                                                                                                                              0x00f41606
                                                                                                                              0x00f41609
                                                                                                                              0x00f4160b
                                                                                                                              0x00f4161d
                                                                                                                              0x00f41622
                                                                                                                              0x00f4163c
                                                                                                                              0x00f41643
                                                                                                                              0x00f41624
                                                                                                                              0x00f4162d
                                                                                                                              0x00f41633
                                                                                                                              0x00f41633
                                                                                                                              0x00f4164d
                                                                                                                              0x00f41653
                                                                                                                              0x00f41658
                                                                                                                              0x00f41732
                                                                                                                              0x00f41738
                                                                                                                              0x00f4165e
                                                                                                                              0x00f4166c
                                                                                                                              0x00f4166e
                                                                                                                              0x00f41671
                                                                                                                              0x00f41674
                                                                                                                              0x00f41681
                                                                                                                              0x00f41711
                                                                                                                              0x00f41717
                                                                                                                              0x00f4168c
                                                                                                                              0x00f4168f
                                                                                                                              0x00f41699
                                                                                                                              0x00f4169f
                                                                                                                              0x00f416a4
                                                                                                                              0x00f416c5
                                                                                                                              0x00f416d0
                                                                                                                              0x00f416e0
                                                                                                                              0x00f416e6
                                                                                                                              0x00f416e6
                                                                                                                              0x00f416ee
                                                                                                                              0x00f416a6
                                                                                                                              0x00f416af
                                                                                                                              0x00f416b5
                                                                                                                              0x00f416b5
                                                                                                                              0x00f416a4
                                                                                                                              0x00f416f7
                                                                                                                              0x00f41700
                                                                                                                              0x00f41700
                                                                                                                              0x00f41721
                                                                                                                              0x00f41726
                                                                                                                              0x00f41746

                                                                                                                              APIs
                                                                                                                              • _llseek.KERNEL32(?,?,00000000), ref: 00F41609
                                                                                                                              • _lread.KERNEL32(?,?,00000008), ref: 00F4161D
                                                                                                                              • lstrcpyA.KERNEL32(?,Could not find Lua DLL file size), ref: 00F4162D
                                                                                                                              • _malloc.LIBCMT ref: 00F4164D
                                                                                                                              • _llseek.KERNEL32(?,?,00000000), ref: 00F4166C
                                                                                                                              • _lread.KERNEL32(?,?,?), ref: 00F4167A
                                                                                                                              • _lcreat.KERNEL32(?,?), ref: 00F41699
                                                                                                                              • lstrcpyA.KERNEL32(?,Unable to open Lua DLL file), ref: 00F416AF
                                                                                                                              • _lwrite.KERNEL32(00000000,?,?), ref: 00F416C5
                                                                                                                              • lstrcpyA.KERNEL32(?,Unable to write to Lua file.), ref: 00F416E0
                                                                                                                              • _lclose.KERNEL32(00000000), ref: 00F416EE
                                                                                                                              • lstrcpyA.KERNEL32(?,Failed to read Lua DLL), ref: 00F41711
                                                                                                                              • _free.LIBCMT ref: 00F41721
                                                                                                                              • lstrcpyA.KERNEL32(?,Failed to alloc memory.), ref: 00F41732
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lstrcpy$_llseek_lread$_free_lclose_lcreat_lwrite_malloc
                                                                                                                              • String ID: 6$Could not find Lua DLL file size$Failed to alloc memory.$Failed to read Lua DLL$Unable to open Lua DLL file$Unable to write to Lua file.
                                                                                                                              • API String ID: 4172578098-1978040295
                                                                                                                              • Opcode ID: 56d96a46ceea7a488de4599c5e44b679ae2a7b4d6ec34d40ba3e1b14145833d4
                                                                                                                              • Instruction ID: 069b15bcb27da5390cb22a3a67c5101e92f3f76580e10b0cd4260f0569688fb5
                                                                                                                              • Opcode Fuzzy Hash: 56d96a46ceea7a488de4599c5e44b679ae2a7b4d6ec34d40ba3e1b14145833d4
                                                                                                                              • Instruction Fuzzy Hash: 7A415B75905708EBCB21AFA4DC84AEEBBB8FF54351F11485AEC26A3150E774AA44EB10
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F414CE Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 82stringCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 173 f414ce-f414ef call f427ac 176 f414f5-f41525 _llseek _lread 173->176 177 f415d9-f415df 173->177 178 f415ac-f415be lstrcpyA 176->178 179 f4152b-f41531 176->179 180 f415c5-f415cf call f42772 178->180 179->178 181 f41533-f41546 _lcreat 179->181 190 f415d1-f415d2 _lclose 180->190 191 f415d8 180->191 183 f41560 181->183 184 f41548-f4155e lstrcpyA 181->184 186 f41562-f4156b 183->186 185 f41592-f415aa 184->185 185->180 188 f41584-f4158c _lwrite 186->188 189 f4156d 186->189 188->185 192 f41577-f41582 189->192 193 f4156f-f41575 189->193 190->191 191->177 192->186 192->188 193->188 193->192
                                                                                                                              C-Code - Quality: 87%
                                                                                                                              			E00F414CE(void* __edx, void* __edi, void* __eflags) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				CHAR* _t27;
				int _t30;
				int _t35;
				void* _t36;
				CHAR* _t43;
				void* _t45;
				void* _t49;
				void* _t50;
				int _t52;
				void* _t55;
				CHAR* _t57;

				_t50 = __edx;
				_push(_t45);
				_push(_t45);
				_v8 = _v8 & 0x00000000;
				_t55 = _t45;
				_t27 = E00F427AC(__edx, __edi, _t55,  *(_t55 + 0x1540)); // executed
				_v12 = _v12 | 0xffffffff;
				_t43 = _t27;
				if(_t43 != 0) {
					_push(__edi);
					_llseek( *(_t55 + 0x1530),  *(_t55 + 0x1538), 0); // executed
					_t30 = _lread( *(_t55 + 0x1530), _t43,  *(_t55 + 0x1540)); // executed
					if(_t30 !=  *(_t55 + 0x1540) || 0 !=  *((intOrPtr*)(_t55 + 0x1544))) {
						_t57 = _t55 + 8;
						__eflags = _t57;
						lstrcpyA(_t57, "Failed to read setup engine");
						_t52 = _v12;
						_v8 = 0x36;
					} else {
						_t35 = _lcreat(_t55 + 0x1224, 0); // executed
						_t52 = _t35;
						if(_t52 != 0xffffffff) {
							_t49 = 0;
							__eflags = 0;
							while(1) {
								_t36 = _t49;
								asm("cdq");
								__eflags = _t50 -  *((intOrPtr*)(_t55 + 0x1544));
								if(__eflags > 0) {
									break;
								}
								if(__eflags < 0) {
									L9:
									 *(_t49 + _t43) =  *(_t49 + _t43) ^ 0x00000007;
									_t49 = _t49 + 1;
									__eflags = _t49 - 0x7d0;
									if(_t49 < 0x7d0) {
										continue;
									}
								} else {
									__eflags = _t36 -  *(_t55 + 0x1540);
									if(_t36 <  *(_t55 + 0x1540)) {
										goto L9;
									}
								}
								break;
							}
							_lwrite(_t52, _t43,  *(_t55 + 0x1540)); // executed
						} else {
							lstrcpyA(_t55 + 8, "Unable to open setup file");
							_v8 = 0x37;
						}
						 *(_t55 + 0x1538) =  *(_t55 + 0x1538) +  *(_t55 + 0x1540);
						asm("adc [esi+0x153c], eax");
					}
					E00F42772(_t43); // executed
					if(_t52 != 0xffffffff) {
						_lclose(_t52); // executed
					}
				}
				return _v8;
			}

















                                                                                                                              0x00f414ce
                                                                                                                              0x00f414d1
                                                                                                                              0x00f414d2
                                                                                                                              0x00f414d3
                                                                                                                              0x00f414d9
                                                                                                                              0x00f414e1
                                                                                                                              0x00f414e6
                                                                                                                              0x00f414ea
                                                                                                                              0x00f414ef
                                                                                                                              0x00f414f5
                                                                                                                              0x00f41504
                                                                                                                              0x00f41517
                                                                                                                              0x00f41525
                                                                                                                              0x00f415b1
                                                                                                                              0x00f415b1
                                                                                                                              0x00f415b5
                                                                                                                              0x00f415bb
                                                                                                                              0x00f415be
                                                                                                                              0x00f41533
                                                                                                                              0x00f4153b
                                                                                                                              0x00f41541
                                                                                                                              0x00f41546
                                                                                                                              0x00f41560
                                                                                                                              0x00f41560
                                                                                                                              0x00f41562
                                                                                                                              0x00f41562
                                                                                                                              0x00f41564
                                                                                                                              0x00f41565
                                                                                                                              0x00f4156b
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f4156d
                                                                                                                              0x00f41577
                                                                                                                              0x00f41577
                                                                                                                              0x00f4157b
                                                                                                                              0x00f4157c
                                                                                                                              0x00f41582
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f4156f
                                                                                                                              0x00f4156f
                                                                                                                              0x00f41575
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f41575
                                                                                                                              0x00000000
                                                                                                                              0x00f4156d
                                                                                                                              0x00f4158c
                                                                                                                              0x00f41548
                                                                                                                              0x00f41551
                                                                                                                              0x00f41557
                                                                                                                              0x00f41557
                                                                                                                              0x00f41598
                                                                                                                              0x00f415a4
                                                                                                                              0x00f415a4
                                                                                                                              0x00f415c6
                                                                                                                              0x00f415cf
                                                                                                                              0x00f415d2
                                                                                                                              0x00f415d2
                                                                                                                              0x00f415d8
                                                                                                                              0x00f415df

                                                                                                                              APIs
                                                                                                                              • _malloc.LIBCMT ref: 00F414E1
                                                                                                                                • Part of subcall function 00F427AC: __FF_MSGBANNER.LIBCMT ref: 00F427C5
                                                                                                                                • Part of subcall function 00F427AC: __NMSG_WRITE.LIBCMT ref: 00F427CC
                                                                                                                                • Part of subcall function 00F427AC: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,?,00000000,?,00F4128A,0001F400), ref: 00F427F1
                                                                                                                              • _llseek.KERNEL32(?,?,00000000), ref: 00F41504
                                                                                                                              • _lread.KERNEL32(?,00000000,?,?,00F41FA7,00000000,00000800), ref: 00F41517
                                                                                                                              • _lcreat.KERNEL32(?,?), ref: 00F4153B
                                                                                                                              • lstrcpyA.KERNEL32(?,Unable to open setup file,?,00F41FA7,00000000,00000800), ref: 00F41551
                                                                                                                              • _lwrite.KERNEL32(00000000,00000000,?,?,00F41FA7,00000000,00000800), ref: 00F4158C
                                                                                                                              • lstrcpyA.KERNEL32(?,Failed to read setup engine,?,00F41FA7,00000000,00000800), ref: 00F415B5
                                                                                                                              • _free.LIBCMT ref: 00F415C6
                                                                                                                              • _lclose.KERNEL32(000000FF), ref: 00F415D2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lstrcpy$AllocateHeap_free_lclose_lcreat_llseek_lread_lwrite_malloc
                                                                                                                              • String ID: 6$Failed to read setup engine$Unable to open setup file
                                                                                                                              • API String ID: 694386576-1523045757
                                                                                                                              • Opcode ID: 2685d5bcd2fa53772830d4597c932cfda39e1355d35405f65ce48033cf3c6daa
                                                                                                                              • Instruction ID: 1e885965aadda7dfb89821236422a2972564467ac77464c3c1226e4fde0e6b85
                                                                                                                              • Opcode Fuzzy Hash: 2685d5bcd2fa53772830d4597c932cfda39e1355d35405f65ce48033cf3c6daa
                                                                                                                              • Instruction Fuzzy Hash: 3F31BF35900B04EFC724AB68DC88ADABBF8FF95365F240519F967D6190E7346A80AB10
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F41F7A Relevance: 10.6, APIs: 7, Instructions: 66filesleepCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 194 f41f7a-f41f91 call f4121e call f41233 199 f41fc3-f41fc9 194->199 200 f41f93-f41f9e call f4188b 194->200 201 f42028-f4202d 199->201 202 f41fcb-f41fdf Sleep 199->202 200->199 207 f41fa0-f41fab call f414ce 200->207 204 f41fe1-f42000 DeleteFileA * 2 RemoveDirectoryA 202->204 205 f42002-f42026 MoveFileExA * 3 202->205 204->201 205->201 207->199 210 f41fad-f41fb8 call f415e0 207->210 210->199 213 f41fba-f41fbc call f41b8c 210->213 215 f41fc1 213->215 215->199
                                                                                                                              C-Code - Quality: 100%
                                                                                                                              			E00F41F7A(CHAR* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* _t6;
				CHAR* _t8;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t28;
				CHAR* _t32;
				CHAR* _t33;
				intOrPtr _t40;

				_t28 = __edx;
				_t32 = __ecx;
				E00F4121E(__ecx);
				_t6 = E00F41233(__ecx); // executed
				_t21 = _t6;
				if(_t21 == 0) {
					_t17 = E00F4188B(__ecx); // executed
					_t21 = _t17;
					_t37 = _t21;
					if(_t21 == 0) {
						_t18 = E00F414CE(_t28, 0, _t37); // executed
						_t21 = _t18;
						if(_t21 == 0) {
							_t19 = E00F415E0(__ecx); // executed
							_t21 = _t19;
							if(_t21 == 0) {
								_t20 = E00F41B8C(__ecx, _t28); // executed
								_t21 = _t20;
							}
						}
					}
				}
				_t40 =  *0xf4ab80; // 0x0
				if(_t40 == 0) {
					Sleep(0xa); // executed
					_t8 = _t32 + 0x1224;
					if( *((intOrPtr*)(_t32 + 0x110c)) == 0) {
						MoveFileExA(_t8, 0, 5);
						MoveFileExA(_t32 + 0x142c, 0, 5);
						_t33 = _t32 + 0x1328;
						__eflags = _t33;
						MoveFileExA(_t33, 0, 5);
					} else {
						DeleteFileA(_t8); // executed
						DeleteFileA(_t32 + 0x142c); // executed
						RemoveDirectoryA(_t32 + 0x1328); // executed
					}
				}
				return _t21;
			}















                                                                                                                              0x00f41f7a
                                                                                                                              0x00f41f7d
                                                                                                                              0x00f41f7f
                                                                                                                              0x00f41f86
                                                                                                                              0x00f41f8b
                                                                                                                              0x00f41f91
                                                                                                                              0x00f41f95
                                                                                                                              0x00f41f9a
                                                                                                                              0x00f41f9c
                                                                                                                              0x00f41f9e
                                                                                                                              0x00f41fa2
                                                                                                                              0x00f41fa7
                                                                                                                              0x00f41fab
                                                                                                                              0x00f41faf
                                                                                                                              0x00f41fb4
                                                                                                                              0x00f41fb8
                                                                                                                              0x00f41fbc
                                                                                                                              0x00f41fc1
                                                                                                                              0x00f41fc1
                                                                                                                              0x00f41fb8
                                                                                                                              0x00f41fab
                                                                                                                              0x00f41f9e
                                                                                                                              0x00f41fc3
                                                                                                                              0x00f41fc9
                                                                                                                              0x00f41fcd
                                                                                                                              0x00f41fd3
                                                                                                                              0x00f41fdf
                                                                                                                              0x00f4200c
                                                                                                                              0x00f42019
                                                                                                                              0x00f4201f
                                                                                                                              0x00f4201f
                                                                                                                              0x00f42026
                                                                                                                              0x00f41fe1
                                                                                                                              0x00f41fe8
                                                                                                                              0x00f41ff1
                                                                                                                              0x00f41ffa
                                                                                                                              0x00f41ffa
                                                                                                                              0x00f41fdf
                                                                                                                              0x00f4202d

                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00F4121E: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00F41F84,00000000,00000800,74CB6980,00F4115C), ref: 00F4122C
                                                                                                                                • Part of subcall function 00F41233: _lopen.KERNEL32(?,00000000), ref: 00F41252
                                                                                                                                • Part of subcall function 00F41233: lstrcpyA.KERNEL32(?,Unable to open archive file), ref: 00F4126E
                                                                                                                                • Part of subcall function 00F41233: _free.LIBCMT ref: 00F414C0
                                                                                                                              • Sleep.KERNELBASE(0000000A,00000000,00000800,74CB6980,00F4115C), ref: 00F41FCD
                                                                                                                              • DeleteFileA.KERNELBASE(?), ref: 00F41FE8
                                                                                                                              • DeleteFileA.KERNELBASE(?), ref: 00F41FF1
                                                                                                                              • RemoveDirectoryA.KERNELBASE(?), ref: 00F41FFA
                                                                                                                                • Part of subcall function 00F4188B: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,?,00000000), ref: 00F418BD
                                                                                                                                • Part of subcall function 00F4188B: GetTempPathA.KERNEL32(00000104,?), ref: 00F418DD
                                                                                                                                • Part of subcall function 00F4188B: lstrlenA.KERNEL32(?), ref: 00F418F0
                                                                                                                                • Part of subcall function 00F4188B: lstrcpyA.KERNEL32(?,?,?), ref: 00F41915
                                                                                                                                • Part of subcall function 00F4188B: lstrlenA.KERNEL32(?), ref: 00F4192B
                                                                                                                                • Part of subcall function 00F4188B: lstrcatA.KERNEL32(?,00F47380), ref: 00F4193F
                                                                                                                                • Part of subcall function 00F4188B: wsprintfA.USER32 ref: 00F4196C
                                                                                                                                • Part of subcall function 00F4188B: wsprintfA.USER32 ref: 00F41981
                                                                                                                                • Part of subcall function 00F4188B: DeleteFileA.KERNELBASE(?), ref: 00F419D0
                                                                                                                                • Part of subcall function 00F4188B: RemoveDirectoryA.KERNELBASE(?), ref: 00F419D9
                                                                                                                                • Part of subcall function 00F4188B: GetFileAttributesA.KERNELBASE(?), ref: 00F419E6
                                                                                                                                • Part of subcall function 00F4188B: CreateDirectoryA.KERNELBASE(?,00000000), ref: 00F41A00
                                                                                                                                • Part of subcall function 00F4188B: lstrcpyA.KERNEL32(?,?), ref: 00F41A10
                                                                                                                                • Part of subcall function 00F4188B: SetCurrentDirectoryA.KERNELBASE(?), ref: 00F41A1F
                                                                                                                              • MoveFileExA.KERNEL32 ref: 00F4200C
                                                                                                                              • MoveFileExA.KERNEL32 ref: 00F42019
                                                                                                                              • MoveFileExA.KERNEL32 ref: 00F42026
                                                                                                                                • Part of subcall function 00F414CE: _malloc.LIBCMT ref: 00F414E1
                                                                                                                                • Part of subcall function 00F414CE: _llseek.KERNEL32(?,?,00000000), ref: 00F41504
                                                                                                                                • Part of subcall function 00F414CE: _lread.KERNEL32(?,00000000,?,?,00F41FA7,00000000,00000800), ref: 00F41517
                                                                                                                                • Part of subcall function 00F414CE: _lcreat.KERNEL32(?,?), ref: 00F4153B
                                                                                                                                • Part of subcall function 00F414CE: lstrcpyA.KERNEL32(?,Unable to open setup file,?,00F41FA7,00000000,00000800), ref: 00F41551
                                                                                                                                • Part of subcall function 00F414CE: _free.LIBCMT ref: 00F415C6
                                                                                                                                • Part of subcall function 00F414CE: _lclose.KERNEL32(000000FF), ref: 00F415D2
                                                                                                                                • Part of subcall function 00F415E0: _llseek.KERNEL32(?,?,00000000), ref: 00F41609
                                                                                                                                • Part of subcall function 00F415E0: _lread.KERNEL32(?,?,00000008), ref: 00F4161D
                                                                                                                                • Part of subcall function 00F415E0: lstrcpyA.KERNEL32(?,Could not find Lua DLL file size), ref: 00F4162D
                                                                                                                                • Part of subcall function 00F415E0: _malloc.LIBCMT ref: 00F4164D
                                                                                                                                • Part of subcall function 00F415E0: _llseek.KERNEL32(?,?,00000000), ref: 00F4166C
                                                                                                                                • Part of subcall function 00F415E0: _lread.KERNEL32(?,?,?), ref: 00F4167A
                                                                                                                                • Part of subcall function 00F415E0: _lcreat.KERNEL32(?,?), ref: 00F41699
                                                                                                                                • Part of subcall function 00F415E0: lstrcpyA.KERNEL32(?,Unable to open Lua DLL file), ref: 00F416AF
                                                                                                                                • Part of subcall function 00F415E0: _free.LIBCMT ref: 00F41721
                                                                                                                                • Part of subcall function 00F41B8C: wsprintfA.USER32 ref: 00F41C31
                                                                                                                                • Part of subcall function 00F41B8C: lstrlenA.KERNEL32(?), ref: 00F41C3D
                                                                                                                                • Part of subcall function 00F41B8C: lstrcatA.KERNEL32(?,00F474E0), ref: 00F41C59
                                                                                                                                • Part of subcall function 00F41B8C: lstrcatA.KERNEL32(?,?), ref: 00F41C69
                                                                                                                                • Part of subcall function 00F41B8C: wsprintfA.USER32 ref: 00F41C7E
                                                                                                                                • Part of subcall function 00F41B8C: lstrcatA.KERNEL32(?,00F474E0), ref: 00F41C8F
                                                                                                                                • Part of subcall function 00F41B8C: lstrcatA.KERNEL32(?,?), ref: 00F41C9F
                                                                                                                                • Part of subcall function 00F41B8C: wsprintfA.USER32 ref: 00F41CB5
                                                                                                                                • Part of subcall function 00F41B8C: lstrcatA.KERNEL32(?,00F474E0), ref: 00F41CC6
                                                                                                                                • Part of subcall function 00F41B8C: lstrcatA.KERNEL32(?,?), ref: 00F41CD6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: File$lstrcat$lstrcpy$Directorywsprintf$DeleteMove_free_llseek_lreadlstrlen$CurrentRemove_lcreat_malloc$AttributesCreateModuleNamePathSleepTemp_lclose_lopen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3481004031-0
                                                                                                                              • Opcode ID: c4c2e6b86aa8a6d82dc2236dfd6065efde2ac55a3cba1ac294b08f92eb9baf58
                                                                                                                              • Instruction ID: d9aa76ea28a7528d3a532471bf39582f47b6defc3140269cd5a619545e167838
                                                                                                                              • Opcode Fuzzy Hash: c4c2e6b86aa8a6d82dc2236dfd6065efde2ac55a3cba1ac294b08f92eb9baf58
                                                                                                                              • Instruction Fuzzy Hash: F0110235B40B1457D632B3B45C88B9E3AD9FBE8761F110825F902D7180FBE84D86ABA0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F42059 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 216 f42059-f4206a call f4202e ExitProcess
                                                                                                                              C-Code - Quality: 100%
                                                                                                                              			E00F42059(int _a4) {

				E00F4202E(_a4);
				ExitProcess(_a4);
			}



                                                                                                                              0x00f42061
                                                                                                                              0x00f4206a

                                                                                                                              APIs
                                                                                                                              • ___crtCorExitProcess.LIBCMT ref: 00F42061
                                                                                                                                • Part of subcall function 00F4202E: GetModuleHandleW.KERNEL32(mscoree.dll,?,00F42066,00F4128A,?,00F42AD5,000000FF,0000001E,00F494D0,0000000C,00F42B80,00F4128A,00F4128A,?,00F430A4,0000000D), ref: 00F42038
                                                                                                                                • Part of subcall function 00F4202E: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F42048
                                                                                                                              • ExitProcess.KERNEL32 ref: 00F4206A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2427264223-0
                                                                                                                              • Opcode ID: 9cfc705bea78fff22605cf6a2bfd81906ccc46d7d9334c9faf7259e43b5f6109
                                                                                                                              • Instruction ID: b292b034c364261d523bc8503583d2c5b985d9630e89949426f6ca0b7753bc94
                                                                                                                              • Opcode Fuzzy Hash: 9cfc705bea78fff22605cf6a2bfd81906ccc46d7d9334c9faf7259e43b5f6109
                                                                                                                              • Instruction Fuzzy Hash: E0B0923A00420CBFCB123F1ADD0A8493F6AEF913A0B504021FD080A031DFB6AD92EAD0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F45A70 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 219 f45a70-f45a7a 220 f45a97-f45aa0 219->220 221 f45a7c-f45a86 219->221 222 f45aa2 220->222 223 f45aa3-f45aa8 220->223 221->220 224 f45a88-f45a96 call f4348d 221->224 222->223 225 f45abd-f45ac4 223->225 226 f45aaa-f45abb RtlAllocateHeap 223->226 229 f45ac6-f45acf call f42fae 225->229 230 f45ae2-f45ae7 225->230 226->225 228 f45aef-f45af1 226->228 229->223 235 f45ad1-f45ad6 229->235 230->228 233 f45ae9 230->233 233->228 236 f45ade-f45ae0 235->236 237 f45ad8 235->237 236->228 237->236
                                                                                                                              C-Code - Quality: 86%
                                                                                                                              			E00F45A70(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0xf4b6a4, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0xf4b6a8;
					if( *0xf4b6a8 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00F42FAE(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00F4348D(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}










                                                                                                                              0x00f45a75
                                                                                                                              0x00f45a7a
                                                                                                                              0x00f45a97
                                                                                                                              0x00f45a9c
                                                                                                                              0x00f45a9e
                                                                                                                              0x00f45aa0
                                                                                                                              0x00f45aa2
                                                                                                                              0x00f45aa2
                                                                                                                              0x00f45aa2
                                                                                                                              0x00000000
                                                                                                                              0x00f45aaa
                                                                                                                              0x00f45ab3
                                                                                                                              0x00f45ab9
                                                                                                                              0x00f45abb
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f45aef
                                                                                                                              0x00f45af1
                                                                                                                              0x00000000
                                                                                                                              0x00f45abd
                                                                                                                              0x00f45abd
                                                                                                                              0x00f45ac4
                                                                                                                              0x00f45ae2
                                                                                                                              0x00f45ae5
                                                                                                                              0x00f45ae7
                                                                                                                              0x00f45ae9
                                                                                                                              0x00f45ae9
                                                                                                                              0x00f45ac6
                                                                                                                              0x00f45ac7
                                                                                                                              0x00f45acd
                                                                                                                              0x00f45acf
                                                                                                                              0x00f45aa3
                                                                                                                              0x00f45aa3
                                                                                                                              0x00f45aa5
                                                                                                                              0x00f45aa8
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f45ad1
                                                                                                                              0x00f45ad1
                                                                                                                              0x00f45ad4
                                                                                                                              0x00f45ad6
                                                                                                                              0x00f45ad8
                                                                                                                              0x00f45ad8
                                                                                                                              0x00f45ade
                                                                                                                              0x00f45ade
                                                                                                                              0x00f45acf
                                                                                                                              0x00000000
                                                                                                                              0x00f45a7c
                                                                                                                              0x00f45a80
                                                                                                                              0x00f45a83
                                                                                                                              0x00f45a86
                                                                                                                              0x00000000
                                                                                                                              0x00f45a88
                                                                                                                              0x00f45a8d
                                                                                                                              0x00f45a96
                                                                                                                              0x00f45a96
                                                                                                                              0x00f45a86
                                                                                                                              0x00000000

                                                                                                                              APIs
                                                                                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00F44882,00F4128A,?,00000000,00000000,00000000,?,00F43139,00000001,00000214,?,00F4128A), ref: 00F45AB3
                                                                                                                                • Part of subcall function 00F4348D: __getptd_noexit.LIBCMT ref: 00F4348D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocateHeap__getptd_noexit
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 328603210-0
                                                                                                                              • Opcode ID: c73af57157c73e59dcf3cbdf4dcdccbe86695eac652bf41a63fd811c1db8d35b
                                                                                                                              • Instruction ID: c3d26898e4edb4d588f2abf2fbd3d4868bb54987755d48d9f79a67167afd1607
                                                                                                                              • Opcode Fuzzy Hash: c73af57157c73e59dcf3cbdf4dcdccbe86695eac652bf41a63fd811c1db8d35b
                                                                                                                              • Instruction Fuzzy Hash: 1901B135641A259BEB28BF24DC84B6B3F55EF92B70F114629EC16CB191D738CC00E650
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F422B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 238 f422b1-f422bd call f42171 240 f422c2-f422c6 238->240
                                                                                                                              C-Code - Quality: 25%
                                                                                                                              			E00F422B1(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00F42171(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}









                                                                                                                              0x00f422b6
                                                                                                                              0x00f422b8
                                                                                                                              0x00f422ba
                                                                                                                              0x00f422bd
                                                                                                                              0x00f422c6

                                                                                                                              APIs
                                                                                                                              • _doexit.LIBCMT ref: 00F422BD
                                                                                                                                • Part of subcall function 00F42171: __lock.LIBCMT ref: 00F4217F
                                                                                                                                • Part of subcall function 00F42171: RtlDecodePointer.NTDLL(00F49490,00000020,00F422D8,00F4128A,00000001,00000000,?,00F42318,000000FF,?,00F42B8C,00000011,00F4128A,?,00F430A4,0000000D), ref: 00F421BB
                                                                                                                                • Part of subcall function 00F42171: DecodePointer.KERNEL32(?,00F42318,000000FF,?,00F42B8C,00000011,00F4128A,?,00F430A4,0000000D), ref: 00F421CC
                                                                                                                                • Part of subcall function 00F42171: DecodePointer.KERNEL32(-00000004,?,00F42318,000000FF,?,00F42B8C,00000011,00F4128A,?,00F430A4,0000000D), ref: 00F421F2
                                                                                                                                • Part of subcall function 00F42171: DecodePointer.KERNEL32(?,00F42318,000000FF,?,00F42B8C,00000011,00F4128A,?,00F430A4,0000000D), ref: 00F42205
                                                                                                                                • Part of subcall function 00F42171: DecodePointer.KERNEL32(?,00F42318,000000FF,?,00F42B8C,00000011,00F4128A,?,00F430A4,0000000D), ref: 00F4220F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DecodePointer$__lock_doexit
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3343572566-0
                                                                                                                              • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                                                                                                              • Instruction ID: 41acb8d16de6388dc8ff8cbbdcb1643cd66f59cfa8a96f9abe8a1a67f231f6af
                                                                                                                              • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                                                                                                              • Instruction Fuzzy Hash: 6AB0123268030C33DA202542EC03F063F1D87C1B60FA40030FF0C1E1E2B9A3B96190C9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F42FD6 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 241 f42fd6-f42fde RtlEncodePointer
                                                                                                                              APIs
                                                                                                                              • RtlEncodePointer.NTDLL(00000000,00F45661,00F4AD50,00000314,00000000,?,?,?,?,?,00F43AF2,00F4AD50,Microsoft Visual C++ Runtime Library,00012010), ref: 00F42FD8
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: EncodePointer
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2118026453-0
                                                                                                                              • Opcode ID: ba614efbd3c9c8782d8e3cb19fabe838d0ff2fa8e891a61e5d51eebeaf4b7bd8
                                                                                                                              • Instruction ID: 6cc2b0c9a73db1388200ab692a1bfc0fe618449602de7082e13754d1e8167f90
                                                                                                                              • Opcode Fuzzy Hash: ba614efbd3c9c8782d8e3cb19fabe838d0ff2fa8e891a61e5d51eebeaf4b7bd8
                                                                                                                              • Instruction Fuzzy Hash:
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Non-executed Functions

                                                                                                                              Function 00F4239A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              C-Code - Quality: 85%
                                                                                                                              			E00F4239A(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0xf4a020; // 0xc9fd8a1f
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0xf4b480 = _t6;
				 *0xf4b47c = _t22;
				 *0xf4b478 = _t25;
				 *0xf4b474 = _t21;
				 *0xf4b470 = _t27;
				 *0xf4b46c = _t26;
				 *0xf4b498 = ss;
				 *0xf4b48c = cs;
				 *0xf4b468 = ds;
				 *0xf4b464 = es;
				 *0xf4b460 = fs;
				 *0xf4b45c = gs;
				asm("pushfd");
				_pop( *0xf4b490);
				 *0xf4b484 =  *_t31;
				 *0xf4b488 = _v0;
				 *0xf4b494 =  &_a4;
				 *0xf4b3d0 = 0x10001;
				 *0xf4b384 =  *0xf4b488;
				 *0xf4b378 = 0xc0000409;
				 *0xf4b37c = 1;
				_t12 =  *0xf4a020; // 0xc9fd8a1f
				_v812 = _t12;
				_t13 =  *0xf4a024; // 0x360275e0
				_v808 = _t13;
				 *0xf4b3c8 = IsDebuggerPresent();
				_push(1);
				E00F449E0(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0xf47f60);
				if( *0xf4b3c8 == 0) {
					_push(1);
					E00F449E0(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}


















                                                                                                                              0x00f4239a
                                                                                                                              0x00f4239a
                                                                                                                              0x00f4239a
                                                                                                                              0x00f4239a
                                                                                                                              0x00f4239a
                                                                                                                              0x00f4239a
                                                                                                                              0x00f4239a
                                                                                                                              0x00f423a0
                                                                                                                              0x00f423a2
                                                                                                                              0x00f423a2
                                                                                                                              0x00f43c72
                                                                                                                              0x00f43c77
                                                                                                                              0x00f43c7d
                                                                                                                              0x00f43c83
                                                                                                                              0x00f43c89
                                                                                                                              0x00f43c8f
                                                                                                                              0x00f43c95
                                                                                                                              0x00f43c9c
                                                                                                                              0x00f43ca3
                                                                                                                              0x00f43caa
                                                                                                                              0x00f43cb1
                                                                                                                              0x00f43cb8
                                                                                                                              0x00f43cbf
                                                                                                                              0x00f43cc0
                                                                                                                              0x00f43cc9
                                                                                                                              0x00f43cd1
                                                                                                                              0x00f43cd9
                                                                                                                              0x00f43ce4
                                                                                                                              0x00f43cf3
                                                                                                                              0x00f43cf8
                                                                                                                              0x00f43d02
                                                                                                                              0x00f43d0c
                                                                                                                              0x00f43d11
                                                                                                                              0x00f43d17
                                                                                                                              0x00f43d1c
                                                                                                                              0x00f43d28
                                                                                                                              0x00f43d2d
                                                                                                                              0x00f43d2f
                                                                                                                              0x00f43d37
                                                                                                                              0x00f43d42
                                                                                                                              0x00f43d4f
                                                                                                                              0x00f43d51
                                                                                                                              0x00f43d53
                                                                                                                              0x00f43d58
                                                                                                                              0x00f43d6c

                                                                                                                              APIs
                                                                                                                              • IsDebuggerPresent.KERNEL32 ref: 00F43D22
                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F43D37
                                                                                                                              • UnhandledExceptionFilter.KERNEL32(00F47F60), ref: 00F43D42
                                                                                                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 00F43D5E
                                                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 00F43D65
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2579439406-0
                                                                                                                              • Opcode ID: aaef3b22065c999fc2c1dc12d118d4cef542524dda318b20d75ae7b9df44bc06
                                                                                                                              • Instruction ID: a4130cf18f678051dc3c53490309eb4a515faa10f07574a5e30850a073a69be9
                                                                                                                              • Opcode Fuzzy Hash: aaef3b22065c999fc2c1dc12d118d4cef542524dda318b20d75ae7b9df44bc06
                                                                                                                              • Instruction Fuzzy Hash: 512198BD80530CDBE700EF69EC896543BA4BB2A714F50401AED0997373E7B49984EF15
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F43FC8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              C-Code - Quality: 100%
                                                                                                                              			E00F43FC8() {

				SetUnhandledExceptionFilter(E00F43F86);
				return 0;
			}



                                                                                                                              0x00f43fcd
                                                                                                                              0x00f43fd5

                                                                                                                              APIs
                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00003F86), ref: 00F43FCD
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3192549508-0
                                                                                                                              • Opcode ID: 73716b0f2fdb93a876443a3ccd7dd075e15de1ff5796a6f1b79cc7630397e4b5
                                                                                                                              • Instruction ID: 3fbc3a6d2998fe7a4e7f92630311c7e75f21135ed204f7db03b3e18d11199da9
                                                                                                                              • Opcode Fuzzy Hash: 73716b0f2fdb93a876443a3ccd7dd075e15de1ff5796a6f1b79cc7630397e4b5
                                                                                                                              • Instruction Fuzzy Hash: CF90026465E3448E961C27B45C0D40A79A15A5963274148546A01C4054DF608108B522
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F432D0 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              C-Code - Quality: 62%
                                                                                                                              			E00F432D0(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0xf4ad40 = GetProcAddress(_t35, "FlsAlloc");
					 *0xf4ad44 = GetProcAddress(_t35, "FlsGetValue");
					 *0xf4ad48 = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0xf4ad40;
					_t39 = TlsSetValue;
					 *0xf4ad4c = _t7;
					if( *0xf4ad40 == 0) {
						L6:
						 *0xf4ad44 = TlsGetValue;
						 *0xf4ad40 = 0xf42fdf;
						 *0xf4ad48 = _t39;
						 *0xf4ad4c = TlsFree;
					} else {
						__eflags =  *0xf4ad44;
						if( *0xf4ad44 == 0) {
							goto L6;
						} else {
							__eflags =  *0xf4ad48;
							if( *0xf4ad48 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0xf4a174 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0xf4ad44);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00F42083();
							_t41 = __imp__EncodePointer;
							_t14 =  *_t41( *0xf4ad40);
							 *0xf4ad40 = _t14;
							_t15 =  *_t41( *0xf4ad44);
							 *0xf4ad44 = _t15;
							_t16 =  *_t41( *0xf4ad48);
							 *0xf4ad48 = _t16;
							 *0xf4ad4c =  *_t41( *0xf4ad4c);
							_t18 = E00F429EB();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E00F4301D();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t36()))( *0xf4ad40, E00F431A1);
								 *0xf4a170 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E00F4486C(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0xf4ad48,  *0xf4a170, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E00F4305A(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E00F4301D();
					return 0;
				}
			}





















                                                                                                                              0x00f432d0
                                                                                                                              0x00f432de
                                                                                                                              0x00f432e2
                                                                                                                              0x00f43302
                                                                                                                              0x00f4330f
                                                                                                                              0x00f4331c
                                                                                                                              0x00f43321
                                                                                                                              0x00f43323
                                                                                                                              0x00f4332a
                                                                                                                              0x00f43330
                                                                                                                              0x00f43335
                                                                                                                              0x00f4334d
                                                                                                                              0x00f43352
                                                                                                                              0x00f4335c
                                                                                                                              0x00f43366
                                                                                                                              0x00f4336c
                                                                                                                              0x00f43337
                                                                                                                              0x00f43337
                                                                                                                              0x00f4333e
                                                                                                                              0x00000000
                                                                                                                              0x00f43340
                                                                                                                              0x00f43340
                                                                                                                              0x00f43347
                                                                                                                              0x00000000
                                                                                                                              0x00f43349
                                                                                                                              0x00f43349
                                                                                                                              0x00f4334b
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f4334b
                                                                                                                              0x00f43347
                                                                                                                              0x00f4333e
                                                                                                                              0x00f43371
                                                                                                                              0x00f43377
                                                                                                                              0x00f4337c
                                                                                                                              0x00f4337f
                                                                                                                              0x00f43446
                                                                                                                              0x00f43446
                                                                                                                              0x00f43446
                                                                                                                              0x00f43385
                                                                                                                              0x00f4338c
                                                                                                                              0x00f4338e
                                                                                                                              0x00f43390
                                                                                                                              0x00000000
                                                                                                                              0x00f43396
                                                                                                                              0x00f43396
                                                                                                                              0x00f433a1
                                                                                                                              0x00f433a7
                                                                                                                              0x00f433af
                                                                                                                              0x00f433b4
                                                                                                                              0x00f433bc
                                                                                                                              0x00f433c1
                                                                                                                              0x00f433c9
                                                                                                                              0x00f433d0
                                                                                                                              0x00f433d5
                                                                                                                              0x00f433da
                                                                                                                              0x00f433dc
                                                                                                                              0x00f43441
                                                                                                                              0x00f43441
                                                                                                                              0x00000000
                                                                                                                              0x00f433de
                                                                                                                              0x00f433de
                                                                                                                              0x00f433f1
                                                                                                                              0x00f433f3
                                                                                                                              0x00f433f8
                                                                                                                              0x00f433fb
                                                                                                                              0x00000000
                                                                                                                              0x00f433fd
                                                                                                                              0x00f43409
                                                                                                                              0x00f4340d
                                                                                                                              0x00f4340f
                                                                                                                              0x00000000
                                                                                                                              0x00f43411
                                                                                                                              0x00f43422
                                                                                                                              0x00f43424
                                                                                                                              0x00000000
                                                                                                                              0x00f43426
                                                                                                                              0x00f43426
                                                                                                                              0x00f43428
                                                                                                                              0x00f43429
                                                                                                                              0x00f43430
                                                                                                                              0x00f43436
                                                                                                                              0x00f4343a
                                                                                                                              0x00f4343e
                                                                                                                              0x00f4343e
                                                                                                                              0x00f43424
                                                                                                                              0x00f4340f
                                                                                                                              0x00f433fb
                                                                                                                              0x00f433dc
                                                                                                                              0x00f43390
                                                                                                                              0x00f4344a
                                                                                                                              0x00f432e4
                                                                                                                              0x00f432e4
                                                                                                                              0x00f432ec
                                                                                                                              0x00f432ec

                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00F428FE), ref: 00F432D8
                                                                                                                              • __mtterm.LIBCMT ref: 00F432E4
                                                                                                                                • Part of subcall function 00F4301D: DecodePointer.KERNEL32(00000005,00F43446,?,00F428FE), ref: 00F4302E
                                                                                                                                • Part of subcall function 00F4301D: TlsFree.KERNEL32(00000019,00F43446,?,00F428FE), ref: 00F43048
                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F432FA
                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F43307
                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F43314
                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F43321
                                                                                                                              • TlsAlloc.KERNEL32(?,00F428FE), ref: 00F43371
                                                                                                                              • TlsSetValue.KERNEL32(00000000,?,00F428FE), ref: 00F4338C
                                                                                                                              • __init_pointers.LIBCMT ref: 00F43396
                                                                                                                              • EncodePointer.KERNEL32(?,00F428FE), ref: 00F433A7
                                                                                                                              • EncodePointer.KERNEL32(?,00F428FE), ref: 00F433B4
                                                                                                                              • EncodePointer.KERNEL32(?,00F428FE), ref: 00F433C1
                                                                                                                              • EncodePointer.KERNEL32(?,00F428FE), ref: 00F433CE
                                                                                                                              • DecodePointer.KERNEL32(00F431A1,?,00F428FE), ref: 00F433EF
                                                                                                                              • __calloc_crt.LIBCMT ref: 00F43404
                                                                                                                              • DecodePointer.KERNEL32(00000000,?,00F428FE), ref: 00F4341E
                                                                                                                              • __initptd.LIBCMT ref: 00F43429
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00F43430
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
                                                                                                                              • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                              • API String ID: 3732613303-3819984048
                                                                                                                              • Opcode ID: 38eb8852de6af682a9e6c5c7d3c7a6ef934923c8e78853a29ef3fcc51897a64e
                                                                                                                              • Instruction ID: 15b923349499311605b055a59dc574f8941921d78f215b27e2f4af27a151e5b8
                                                                                                                              • Opcode Fuzzy Hash: 38eb8852de6af682a9e6c5c7d3c7a6ef934923c8e78853a29ef3fcc51897a64e
                                                                                                                              • Instruction Fuzzy Hash: 1C31B339D843189BDB21AF79EC056193EB0AB72761B000526EC14CBAB0DB7885C0FF52
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F44F44 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              C-Code - Quality: 92%
                                                                                                                              			E00F44F44(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0xf49600);
				E00F437A0(__ebx, __edi, __esi);
				_t31 = E00F43187(__ebx, __edx, __edi, _t35);
				_t15 =  *0xf4aac0; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00F42B65(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0xf4a9c8; // 0xd61608
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0xf4a5a0;
								if(__eflags != 0) {
									E00F42772(_t33);
								}
							}
						}
						_t21 =  *0xf4a9c8; // 0xd61608
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0xf4a9c8; // 0xd61608
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00F44FDF();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E00F422FB(_t29, _t31, _t38, 0x20);
				}
				return E00F437E5(_t33);
			}









                                                                                                                              0x00f44f44
                                                                                                                              0x00f44f44
                                                                                                                              0x00f44f44
                                                                                                                              0x00f44f44
                                                                                                                              0x00f44f46
                                                                                                                              0x00f44f4b
                                                                                                                              0x00f44f55
                                                                                                                              0x00f44f57
                                                                                                                              0x00f44f5f
                                                                                                                              0x00f44f80
                                                                                                                              0x00f44f86
                                                                                                                              0x00f44f8a
                                                                                                                              0x00f44f8d
                                                                                                                              0x00f44f90
                                                                                                                              0x00f44f96
                                                                                                                              0x00f44f98
                                                                                                                              0x00f44f9a
                                                                                                                              0x00f44fa3
                                                                                                                              0x00f44fa5
                                                                                                                              0x00f44fa7
                                                                                                                              0x00f44fad
                                                                                                                              0x00f44fb0
                                                                                                                              0x00f44fb5
                                                                                                                              0x00f44fad
                                                                                                                              0x00f44fa5
                                                                                                                              0x00f44fb6
                                                                                                                              0x00f44fbb
                                                                                                                              0x00f44fbe
                                                                                                                              0x00f44fc4
                                                                                                                              0x00f44fc8
                                                                                                                              0x00f44fc8
                                                                                                                              0x00f44fce
                                                                                                                              0x00f44fd5
                                                                                                                              0x00f44f67
                                                                                                                              0x00f44f67
                                                                                                                              0x00f44f67
                                                                                                                              0x00f44f6a
                                                                                                                              0x00f44f6c
                                                                                                                              0x00f44f70
                                                                                                                              0x00f44f75
                                                                                                                              0x00f44f7d

                                                                                                                              APIs
                                                                                                                              • __getptd.LIBCMT ref: 00F44F50
                                                                                                                                • Part of subcall function 00F43187: __getptd_noexit.LIBCMT ref: 00F4318A
                                                                                                                                • Part of subcall function 00F43187: __amsg_exit.LIBCMT ref: 00F43197
                                                                                                                              • __amsg_exit.LIBCMT ref: 00F44F70
                                                                                                                              • __lock.LIBCMT ref: 00F44F80
                                                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 00F44F9D
                                                                                                                              • _free.LIBCMT ref: 00F44FB0
                                                                                                                              • InterlockedIncrement.KERNEL32(00D61608), ref: 00F44FC8
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3470314060-0
                                                                                                                              • Opcode ID: ff8128873ea7aa1308d682113b59581c4b102f6f8d6065bc40efdf63a0c681f1
                                                                                                                              • Instruction ID: eec31bab078530063b60ac7aaab6175ff3c4f188a86a4d3e5906f183d6c15e3b
                                                                                                                              • Opcode Fuzzy Hash: ff8128873ea7aa1308d682113b59581c4b102f6f8d6065bc40efdf63a0c681f1
                                                                                                                              • Instruction Fuzzy Hash: 5901A936E05A25ABE721EF689806749BFA0AB12B30F054005FC00B7691DB38B945FBD6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F41821 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              C-Code - Quality: 68%
                                                                                                                              			E00F41821(intOrPtr _a4, intOrPtr _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				struct HINSTANCE__* _t11;

				_t10 = 0;
				_t11 = LoadLibraryA("Advapi32.dll");
				if(_t11 != 0 && _a8 != 0 && _a4 != 0) {
					_t7 = GetProcAddress(_t11, "ConvertSidToStringSidA");
					if(_t7 != 0) {
						_t10 =  *_t7(_a4, _a8);
					}
					FreeLibrary(_t11);
				}
				return _t10;
			}






                                                                                                                              0x00f4182b
                                                                                                                              0x00f41833
                                                                                                                              0x00f41837
                                                                                                                              0x00f41849
                                                                                                                              0x00f41851
                                                                                                                              0x00f4185b
                                                                                                                              0x00f4185b
                                                                                                                              0x00f4185e
                                                                                                                              0x00f4185e
                                                                                                                              0x00f41869

                                                                                                                              APIs
                                                                                                                              • LoadLibraryA.KERNEL32(Advapi32.dll,7491C740,74CF81D0,?,00F41D94,?,00000000), ref: 00F4182D
                                                                                                                              • GetProcAddress.KERNEL32(00000000,ConvertSidToStringSidA), ref: 00F41849
                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,00F41D94,?,00000000), ref: 00F4185E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Library$AddressFreeLoadProc
                                                                                                                              • String ID: Advapi32.dll$ConvertSidToStringSidA
                                                                                                                              • API String ID: 145871493-1798845326
                                                                                                                              • Opcode ID: 138273da730cc824bab9de3d4b88bc626386491a51bd4a3172149aba93ecf06a
                                                                                                                              • Instruction ID: 40f75a72887240633a536a355daad9bcf2fce99a9ce69ac4af459d079d0f14f8
                                                                                                                              • Opcode Fuzzy Hash: 138273da730cc824bab9de3d4b88bc626386491a51bd4a3172149aba93ecf06a
                                                                                                                              • Instruction Fuzzy Hash: BCE06536605718AB87213F5EDC048AEBF65EAC17B13148121FD18C1110D7318985B6E1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F41747 Relevance: 7.6, APIs: 5, Instructions: 70stringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              C-Code - Quality: 92%
                                                                                                                              			E00F41747(CHAR* _a4) {
				signed int _v8;
				char _v268;
				int _v272;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				char* _t28;
				struct _SECURITY_ATTRIBUTES* _t30;
				int _t34;
				char _t37;
				void* _t38;
				intOrPtr _t40;
				CHAR* _t41;
				signed int _t42;

				_t19 =  *0xf4a020; // 0xc9fd8a1f
				_v8 = _t19 ^ _t42;
				_t41 = _a4;
				_v272 = 1;
				if(_t41[lstrlenA(_t41) - 1] != 0x5c) {
					lstrcatA(_t41, "\\");
				}
				_t34 = lstrlenA(_t41);
				_t40 = 0;
				E00F42320( &_v268, 0, 0x104);
				if(_t34 <= 2 || _t41[1] != 0x3a) {
					_v272 = _t40;
				} else {
					if(_t34 <= 0) {
						L14:
						return E00F4239A(_v272, _t34, _v8 ^ _t42, _t38, _t40, _t41);
					}
					_t41 = _t41 -  &_v268;
					while(_v272 != 0) {
						_t28 = _t42 + _t40 - 0x108;
						_t37 = _t41[_t28];
						 *_t28 = _t37;
						if(_t37 == 0x5c && _t40 != 2) {
							_t30 = SetCurrentDirectoryA( &_v268);
							if(_t30 == 0) {
								_v272 = CreateDirectoryA( &_v268, _t30);
							}
						}
						_t40 = _t40 + 1;
						if(_t40 < _t34) {
							continue;
						} else {
							goto L14;
						}
					}
				}
			}


















                                                                                                                              0x00f41750
                                                                                                                              0x00f41757
                                                                                                                              0x00f4175c
                                                                                                                              0x00f41767
                                                                                                                              0x00f41778
                                                                                                                              0x00f41780
                                                                                                                              0x00f41780
                                                                                                                              0x00f4178e
                                                                                                                              0x00f41790
                                                                                                                              0x00f4179a
                                                                                                                              0x00f417a5
                                                                                                                              0x00f41804
                                                                                                                              0x00f417ad
                                                                                                                              0x00f417af
                                                                                                                              0x00f4180a
                                                                                                                              0x00f4181e
                                                                                                                              0x00f4181e
                                                                                                                              0x00f417b7
                                                                                                                              0x00f417b9
                                                                                                                              0x00f417c2
                                                                                                                              0x00f417c9
                                                                                                                              0x00f417cc
                                                                                                                              0x00f417d1
                                                                                                                              0x00f417df
                                                                                                                              0x00f417e7
                                                                                                                              0x00f417f7
                                                                                                                              0x00f417f7
                                                                                                                              0x00f417e7
                                                                                                                              0x00f417fd
                                                                                                                              0x00f41800
                                                                                                                              0x00000000
                                                                                                                              0x00f41802
                                                                                                                              0x00000000
                                                                                                                              0x00f41802
                                                                                                                              0x00f41800
                                                                                                                              0x00f417b9

                                                                                                                              APIs
                                                                                                                              • lstrlenA.KERNEL32(00F41909,74CF8170,?,74CB6980), ref: 00F41771
                                                                                                                              • lstrcatA.KERNEL32(00F41909,00F47380), ref: 00F41780
                                                                                                                              • lstrlenA.KERNEL32(00F41909), ref: 00F41787
                                                                                                                              • SetCurrentDirectoryA.KERNEL32(?), ref: 00F417DF
                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 00F417F1
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Directorylstrlen$CreateCurrentlstrcat
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 279805598-0
                                                                                                                              • Opcode ID: 60f5f8c3bc4a69c8c22d99e1b3708bd58113a276598468298f838dcebd13dd26
                                                                                                                              • Instruction ID: 04fa24ca107c0494197019ebe0d9bc7fd8dc0d628dd416d23215bf755f22c73a
                                                                                                                              • Opcode Fuzzy Hash: 60f5f8c3bc4a69c8c22d99e1b3708bd58113a276598468298f838dcebd13dd26
                                                                                                                              • Instruction Fuzzy Hash: D921B076D0431C9ADB20DF69CC44BEABFE8AB66310F0141A5ED8593141D7B89DC4EF91
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F45AF2 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              C-Code - Quality: 94%
                                                                                                                              			E00F45AF2(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0xf4b6a4, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0xf4b6a8 - _t7;
								if(__eflags == 0) {
									_t9 = E00F4348D(__eflags);
									 *_t9 = E00F4344B(GetLastError());
									goto L17;
								} else {
									__eflags = E00F42FAE(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E00F4348D(__eflags);
										 *_t12 = E00F4344B(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00F42FAE(_t6, _t30);
						 *((intOrPtr*)(E00F4348D(__eflags))) = 0xc;
						goto L12;
					} else {
						E00F42772(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00F427AC(__edx, __edi, __esi, _a8);
				}
			}









                                                                                                                              0x00f45afb
                                                                                                                              0x00f45b08
                                                                                                                              0x00f45b09
                                                                                                                              0x00f45b0c
                                                                                                                              0x00f45b0e
                                                                                                                              0x00f45b1d
                                                                                                                              0x00f45b50
                                                                                                                              0x00f45b50
                                                                                                                              0x00f45b53
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f45b20
                                                                                                                              0x00f45b22
                                                                                                                              0x00f45b24
                                                                                                                              0x00f45b24
                                                                                                                              0x00f45b24
                                                                                                                              0x00f45b31
                                                                                                                              0x00f45b37
                                                                                                                              0x00f45b39
                                                                                                                              0x00f45b3b
                                                                                                                              0x00f45b9b
                                                                                                                              0x00f45b9b
                                                                                                                              0x00f45b3d
                                                                                                                              0x00f45b3d
                                                                                                                              0x00f45b43
                                                                                                                              0x00f45b85
                                                                                                                              0x00f45b99
                                                                                                                              0x00000000
                                                                                                                              0x00f45b45
                                                                                                                              0x00f45b4c
                                                                                                                              0x00f45b4e
                                                                                                                              0x00f45b6d
                                                                                                                              0x00f45b81
                                                                                                                              0x00f45b67
                                                                                                                              0x00f45b67
                                                                                                                              0x00f45b67
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00000000
                                                                                                                              0x00f45b4e
                                                                                                                              0x00f45b43
                                                                                                                              0x00000000
                                                                                                                              0x00f45b69
                                                                                                                              0x00f45b56
                                                                                                                              0x00f45b61
                                                                                                                              0x00000000
                                                                                                                              0x00f45b10
                                                                                                                              0x00f45b13
                                                                                                                              0x00f45b19
                                                                                                                              0x00f45b19
                                                                                                                              0x00f45b6a
                                                                                                                              0x00f45b6c
                                                                                                                              0x00f45afd
                                                                                                                              0x00f45b07
                                                                                                                              0x00f45b07

                                                                                                                              APIs
                                                                                                                              • _malloc.LIBCMT ref: 00F45B00
                                                                                                                                • Part of subcall function 00F427AC: __FF_MSGBANNER.LIBCMT ref: 00F427C5
                                                                                                                                • Part of subcall function 00F427AC: __NMSG_WRITE.LIBCMT ref: 00F427CC
                                                                                                                                • Part of subcall function 00F427AC: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,?,00000000,?,00F4128A,0001F400), ref: 00F427F1
                                                                                                                              • _free.LIBCMT ref: 00F45B13
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocateHeap_free_malloc
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1020059152-0
                                                                                                                              • Opcode ID: 3094ecb91265e88bf480af09c305e898c75846346cc177b6da0d4cd9afb7a80d
                                                                                                                              • Instruction ID: 7af8535b4b3d6e9167e75f4d472693e25c2cd4d6c0dd0312f61bc106dc6d70e9
                                                                                                                              • Opcode Fuzzy Hash: 3094ecb91265e88bf480af09c305e898c75846346cc177b6da0d4cd9afb7a80d
                                                                                                                              • Instruction Fuzzy Hash: D8110D32905A186FCF227F34AC04B5A3F54EFD1B70B254439FC449B2A2DB38C840B694
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00F44CA8 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              C-Code - Quality: 90%
                                                                                                                              			E00F44CA8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0xf495e0);
				E00F437A0(__ebx, __edi, __esi);
				_t28 = E00F43187(__ebx, __edx, __edi, _t31);
				_t12 =  *0xf4aac0; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E00F42B65(_t20, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00F44C5B(_t29,  *0xf4a598);
					 *(_t30 - 4) = 0xfffffffe;
					E00F44D15();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00F43187(_t20, __edx, _t26, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					E00F422FB(_t25, _t26, _t34, 0x20);
				}
				return E00F437E5(_t29);
			}








                                                                                                                              0x00f44ca8
                                                                                                                              0x00f44ca8
                                                                                                                              0x00f44ca8
                                                                                                                              0x00f44ca8
                                                                                                                              0x00f44ca8
                                                                                                                              0x00f44caa
                                                                                                                              0x00f44caf
                                                                                                                              0x00f44cb9
                                                                                                                              0x00f44cbb
                                                                                                                              0x00f44cc3
                                                                                                                              0x00f44ce7
                                                                                                                              0x00f44ce9
                                                                                                                              0x00f44cef
                                                                                                                              0x00f44cf9
                                                                                                                              0x00f44d04
                                                                                                                              0x00f44d07
                                                                                                                              0x00f44d0e
                                                                                                                              0x00f44cc5
                                                                                                                              0x00f44cc5
                                                                                                                              0x00f44cc9
                                                                                                                              0x00000000
                                                                                                                              0x00f44ccb
                                                                                                                              0x00f44cd0
                                                                                                                              0x00f44cd0
                                                                                                                              0x00f44cc9
                                                                                                                              0x00f44cd3
                                                                                                                              0x00f44cd5
                                                                                                                              0x00f44cd9
                                                                                                                              0x00f44cde
                                                                                                                              0x00f44ce6

                                                                                                                              APIs
                                                                                                                              • __getptd.LIBCMT ref: 00F44CB4
                                                                                                                                • Part of subcall function 00F43187: __getptd_noexit.LIBCMT ref: 00F4318A
                                                                                                                                • Part of subcall function 00F43187: __amsg_exit.LIBCMT ref: 00F43197
                                                                                                                              • __getptd.LIBCMT ref: 00F44CCB
                                                                                                                              • __amsg_exit.LIBCMT ref: 00F44CD9
                                                                                                                              • __lock.LIBCMT ref: 00F44CE9
                                                                                                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 00F44CFD
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.398600698.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.398595973.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398607159.0000000000F47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398613550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              • Associated: 00000000.00000002.398618185.0000000000F4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_f40000_fNlAH8RgLk.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 938513278-0
                                                                                                                              • Opcode ID: 7b42b4480a34ee0baabbcb452a69df7bab4c340203deaaacc1072092764f6d28
                                                                                                                              • Instruction ID: 1b325055c4c88cdfbf8458a4906552b0e03503f30b5202b6c91fce1e74d2b0ab
                                                                                                                              • Opcode Fuzzy Hash: 7b42b4480a34ee0baabbcb452a69df7bab4c340203deaaacc1072092764f6d28
                                                                                                                              • Instruction Fuzzy Hash: E0F0F072E462009AE621BB684C03B4D3EA07F00720F280109FD00B65C2CB6C6A00FA5A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:11.2%
                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                              Signature Coverage:3.7%
                                                                                                                              Total number of Nodes:2000
                                                                                                                              Total number of Limit Nodes:100
                                                                                                                              execution_graph 49133 42d840 49134 42d85c 49133->49134 49167 42d893 Mailbox 49134->49167 49230 401bab __EH_prolog3 49134->49230 49136 42d965 49234 43c227 __EH_prolog3 49136->49234 49138 42d97d 49139 401bab 4 API calls 49138->49139 49140 42d994 49139->49140 49141 43c227 9 API calls 49140->49141 49142 42d9ac 49141->49142 49247 42016d 49142->49247 49144 42d9d0 49145 401bab 4 API calls 49144->49145 49146 42da0d 49145->49146 49250 40c5d4 lua_getfield lua_type 49146->49250 49148 42da1e 49254 4b3c8a 49148->49254 49231 401bc1 49230->49231 49232 401be5 49231->49232 49485 4019b2 49231->49485 49232->49136 49236 43c244 49234->49236 49235 43c2a3 Mailbox 49235->49138 49236->49235 49237 43c2be __EH_prolog3 49236->49237 49238 43c313 Mailbox 49237->49238 49239 43c2d9 49237->49239 49238->49138 49239->49238 49240 43c337 __EH_prolog3 49239->49240 49241 43c352 lua_settop lua_getfield lua_pushnumber 49240->49241 49243 43c3cb Mailbox 49240->49243 49242 43c392 49241->49242 49244 43c3a3 lua_pushstring 49242->49244 49243->49138 49490 40124d 49244->49490 49492 4162a0 __EH_prolog3 49247->49492 49249 42018e 49249->49144 49251 40c60d lua_remove 49250->49251 49252 40c5ff lua_toboolean 49250->49252 49253 40c624 Mailbox 49251->49253 49252->49251 49253->49148 49257 4b3c92 49254->49257 49256 4b3cb4 49257->49256 49510 5b4b83 49257->49510 49486 4019c8 49485->49486 49487 4019bf _strlen 49485->49487 49488 40181f 2 API calls 49486->49488 49487->49486 49489 4019d3 49488->49489 49489->49232 49491 40125c lua_settable lua_settop 49490->49491 49491->49243 49493 4162b6 49492->49493 49496 41624f 49493->49496 49495 4162eb 49495->49249 49497 41625b 49496->49497 49499 416263 49496->49499 49498 4019b2 3 API calls 49497->49498 49498->49499 49502 4160d0 __EH_prolog3 49499->49502 49501 416279 49501->49495 49503 4160ea 49502->49503 49504 416138 _memset 49503->49504 49505 416153 49504->49505 49506 4019b2 3 API calls 49505->49506 49507 4161bf 49505->49507 49506->49507 49508 405b1f 3 API calls 49507->49508 49509 4161e6 Mailbox 49507->49509 49508->49509 49509->49501 49832 40f6c6 49839 4c602a 49832->49839 49835 40f6dd GetSystemMenu 49836 40f6f1 49835->49836 49837 40f6f7 RemoveMenu RemoveMenu RemoveMenu RemoveMenu 49836->49837 49838 40f6d9 49836->49838 49837->49838 49840 4c6036 49839->49840 49843 4c47d6 49840->49843 49848 4bbdfe 49843->49848 49845 4c47e3 49846 40f6d4 49845->49846 49847 4c4801 PostMessageA 49845->49847 49846->49835 49846->49838 49847->49846 49851 4d303f __EH_prolog3 49848->49851 49850 4bbe12 49850->49845 49855 4d3059 49851->49855 49852 4d3099 49871 4d2af7 RtlEnterCriticalSection 49852->49871 49855->49852 49857 4d2c55 RtlEnterCriticalSection 49855->49857 49856 4d30a6 49856->49850 49859 4d2c78 49857->49859 49858 4d2d43 RtlLeaveCriticalSection 49858->49855 49859->49858 49861 4d2cc6 GlobalHandle GlobalUnWire 49859->49861 49862 4d2cb1 49859->49862 49863 40153b 49861->49863 49864 4d2cb9 GlobalAlloc 49862->49864 49865 4d2ce4 GlobalReAlloc 49863->49865 49866 4d2cf0 49864->49866 49865->49866 49867 4d2d17 GlobalFix _memset 49866->49867 49868 4d2d09 RtlLeaveCriticalSection 49866->49868 49869 4d2cfb GlobalHandle GlobalFix 49866->49869 49867->49858 49870 4b4c24 49868->49870 49869->49868 49870->49867 49872 4d2b39 RtlLeaveCriticalSection 49871->49872 49873 4d2b12 49871->49873 49875 4d2b42 49872->49875 49873->49872 49874 4d2b17 TlsGetValue 49873->49874 49874->49872 49876 4d2b23 49874->49876 49875->49856 49876->49872 49877 4d2b28 RtlLeaveCriticalSection 49876->49877 49877->49875 49878 4641c0 __EH_prolog3 49879 4641d5 49878->49879 49880 401bab 4 API calls 49879->49880 49881 4641f6 49880->49881 49882 401bab 4 API calls 49881->49882 49883 464208 lua_type 49882->49883 49884 46422e 49883->49884 49885 46421b 49883->49885 49886 401bab 4 API calls 49884->49886 49888 4019b2 3 API calls 49885->49888 49887 464237 lua_type 49886->49887 49889 46425e lua_type 49887->49889 49890 46424c 49887->49890 49888->49884 49891 46427e lua_type 49889->49891 49893 46426d 49889->49893 49892 4019b2 3 API calls 49890->49892 49895 464291 49891->49895 49892->49889 49893->49891 49894 4b3c8a Mailbox 5 API calls 49896 4642c7 49894->49896 49895->49894 49901 44c87a 49896->49901 49898 46437f lua_pushnumber 49900 46438e Mailbox 49898->49900 49899 464331 Mailbox 49899->49898 49902 44c8c3 49901->49902 49903 44c8cf _memset _memset 49902->49903 49905 44c927 lstrlen 49903->49905 49906 44c973 49905->49906 49908 44c960 49905->49908 49922 44c823 __flsbuf _vswprintf_s 49906->49922 49909 44c98d lstrlen 49908->49909 49910 44c9b1 CreateProcessA 49909->49910 49912 44c9e0 49910->49912 49913 44c9cc GetLastError 49910->49913 49914 44ca82 CloseHandle CloseHandle 49912->49914 49915 44ca52 MsgWaitForMultipleObjects 49912->49915 49913->49912 49920 44ca98 Mailbox 49913->49920 49914->49920 49916 44ca3d PeekMessageA 49915->49916 49917 44ca68 49915->49917 49916->49915 49918 44c9ff 49916->49918 49917->49914 49919 44ca70 GetExitCodeProcess 49917->49919 49918->49916 49921 44ca23 TranslateMessage DispatchMessageA 49918->49921 49919->49914 49920->49899 49921->49916 49922->49908 49923 5c7155 49924 5c7161 49923->49924 49928 5c7183 49924->49928 49929 5c43d8 49924->49929 49926 5c7172 49926->49928 49936 5c6a74 49926->49936 49930 5c43ed 49929->49930 49931 5c4400 RtlEnterCriticalSection 49929->49931 49956 5c4316 71 API calls 5 library calls 49930->49956 49931->49926 49933 5c43f3 49933->49931 49957 5b62b1 __FF_MSGBANNER __NMSG_WRITE 49933->49957 49937 5c6a80 49936->49937 49938 5c43d8 __lock 71 API calls 49937->49938 49942 5c6a9b __tzset_nolock 49938->49942 49939 5c6b78 __invoke_watson 49955 5c6b82 __tzset_nolock 49939->49955 49940 5c6b98 GetTimeZoneInformation 49940->49955 49941 5b4c17 _free 2 API calls 49941->49955 49942->49939 49943 5c6add ____lc_codepage_func __getenv_helper_nolock 49942->49943 49950 5c6b0e __tzset_nolock 49943->49950 49943->49955 49944 5c6bff WideCharToMultiByte 49944->49955 49945 5c6c37 WideCharToMultiByte 49945->49955 49946 5c6b3c _strlen 50048 5c4e1c 49946->50048 49949 5c6b58 _strlen _strcpy_s 49949->49939 49949->49955 49950->49946 49951 5b4c17 _free 2 API calls 49950->49951 49950->49955 49952 5c6b3b 49951->49952 49952->49946 49953 5c6d68 __tzset_nolock 49953->49928 49954 5b6779 __wcstoi64 __tzset_nolock 49954->49955 49955->49939 49955->49940 49955->49941 49955->49944 49955->49945 49955->49953 49955->49954 49956->49933 49960 5b627d 49957->49960 49963 5b6127 49960->49963 49962 5b628e 49964 5b6133 49963->49964 49965 5c43d8 __lock 66 API calls 49964->49965 49966 5b613a 49965->49966 49968 5b6165 RtlDecodePointer 49966->49968 49974 5b61e4 49966->49974 49970 5b617c RtlDecodePointer 49968->49970 49968->49974 49972 5b618f 49970->49972 49971 5b6261 49971->49962 49972->49974 49980 5b61a6 RtlDecodePointer 49972->49980 49986 5c0751 RtlEncodePointer 49972->49986 49993 5b6252 49974->49993 49975 5b6249 49998 5b600f ___crtCorExitProcess ExitProcess 49975->49998 49987 5c0751 RtlEncodePointer 49980->49987 49983 5b61b1 49988 41e10c __EH_prolog3 49983->49988 49986->49972 49987->49983 49999 405462 __EH_prolog3 49988->49999 49994 5b6258 49993->49994 49995 5b6232 49993->49995 50047 5c42ff RtlLeaveCriticalSection 49994->50047 49995->49971 49997 5c42ff RtlLeaveCriticalSection 49995->49997 49997->49975 50000 40548d 49999->50000 50001 4054cf 50000->50001 50022 49a615 50000->50022 50025 403613 50001->50025 50035 49a5cc __EH_prolog3 50022->50035 50024 49a620 50024->50000 50026 403623 50025->50026 50027 40363f 50025->50027 50026->50027 50037 496a32 50026->50037 50029 43fc68 50027->50029 50032 43fc71 50029->50032 50030 43fcb3 50031 403613 Mailbox 15 API calls 50030->50031 50033 43fce0 50031->50033 50032->50030 50045 49b2c7 ~_Task_impl 50032->50045 50036 49a5ef Mailbox 50035->50036 50036->50024 50040 4969d2 __EH_prolog3 50037->50040 50039 496a3d 50039->50026 50041 4969f2 50040->50041 50044 48a982 14 API calls Mailbox 50041->50044 50043 4969fd 50043->50039 50044->50043 50046 49b2d8 50045->50046 50046->50032 50047->49995 50051 5c4e25 50048->50051 50049 5b4b83 _malloc 5 API calls 50049->50051 50050 5c4e5b 50050->49949 50050->49955 50051->50049 50051->50050 50052 5c4e3c Sleep 50051->50052 50053 5c4e51 50052->50053 50053->50050 50053->50051 50054 4bd041 __EH_prolog3_catch_GS 50055 4d303f Mailbox 16 API calls 50054->50055 50056 4bd062 50055->50056 50061 4b9bfc 50056->50061 50058 4bd105 50063 4bbdfe 16 API calls 50061->50063 50062 4b9c20 50062->50058 50064 4bcfa0 50062->50064 50063->50062 50065 4bcfbf 50064->50065 50068 4bd031 50064->50068 50076 4b87f6 50065->50076 50067 4bcfc6 50067->50068 50069 4bcfcd GetWindowRect 50067->50069 50068->50058 50069->50068 50070 4bcff3 50069->50070 50070->50068 50071 4bcffb GetWindow 50070->50071 50072 4bd00c 50071->50072 50073 4bd017 50072->50073 50099 4b8974 IsWindowEnabled 50072->50099 50073->50068 50079 4bb78b 50073->50079 50077 4b8808 50076->50077 50078 4b87fc GetWindowLongA 50076->50078 50078->50067 50080 4b87f6 GetWindowLongA 50079->50080 50081 4bb7ad 50080->50081 50082 4bb7b6 50081->50082 50084 4bb7cd GetWindow 50081->50084 50085 4bb7c2 GetParent 50081->50085 50083 4bb7f2 GetWindowRect 50082->50083 50086 4bb8c3 GetParent GetClientRect GetClientRect MapWindowPoints 50083->50086 50087 4bb830 50083->50087 50088 4bb7d8 50084->50088 50085->50088 50094 4bb8f0 50086->50094 50090 4bb834 GetWindowLongA 50087->50090 50092 4bb844 50087->50092 50088->50083 50089 4bb7de SendMessageA 50088->50089 50089->50083 50091 4bb7f0 50089->50091 50090->50092 50091->50083 50093 4bb894 GetWindowRect MonitorFromWindow GetMonitorInfoA CopyRect 50092->50093 50095 4bb858 50092->50095 50093->50094 50100 4b8b6d 50094->50100 50096 4bb864 MonitorFromWindow GetMonitorInfoA CopyRect CopyRect 50095->50096 50096->50094 50098 4bb972 50098->50068 50099->50073 50101 4b8b78 SetWindowPos 50100->50101 50102 4b8b9f 50100->50102 50101->50098 50104 4357cd __EH_prolog3 50105 4357e5 50104->50105 50114 4c3262 50105->50114 50109 427ab9 43 API calls 50111 4358ad SHChangeNotify 50109->50111 50110 43597a SHChangeNotify 50112 435997 Mailbox 50110->50112 50113 4357fe Mailbox 50111->50113 50113->50109 50113->50110 50115 4d303f Mailbox 16 API calls 50114->50115 50117 4c3271 50115->50117 50116 4357f6 50119 4c001d 50116->50119 50117->50116 50122 4d2b63 __EH_prolog3_catch 50117->50122 50120 4c3262 Mailbox 17 API calls 50119->50120 50121 4c0022 50120->50121 50121->50113 50123 4d2b77 50122->50123 50123->50117 50124 4d22dd __EH_prolog3 SendMessageA 50125 4d2376 50124->50125 50126 4d2306 50124->50126 50130 5725e8 50126->50130 50128 4d2327 SendMessageA 50129 4d233c 50128->50129 50129->50125 50136 5725f8 50130->50136 50131 572631 50135 4b3c8a Mailbox 5 API calls 50131->50135 50132 572668 50133 572673 _memset 50132->50133 50134 57260b 50132->50134 50133->50134 50134->50128 50137 572645 _memset 50135->50137 50136->50131 50136->50132 50136->50134 50138 5726cd 50136->50138 50137->50134 50139 4b3c8a Mailbox 5 API calls 50138->50139 50140 5726d6 50139->50140 50143 40a123 _memcpy_s 50140->50143 50142 5726ef _memset 50142->50134 50144 40a13d 50143->50144 50144->50142 50145 464d54 __EH_prolog3 50146 464d69 50145->50146 50147 401bab 4 API calls 50146->50147 50148 464d85 lua_type 50147->50148 50149 464d9c 50148->50149 50150 464da9 lua_type 50148->50150 50149->50150 50151 464dbb 50150->50151 50152 464dc8 lua_type 50150->50152 50151->50152 50153 464de5 lua_type 50152->50153 50154 464dd9 50152->50154 50155 464df4 lua_type 50153->50155 50156 464e03 Mailbox 50153->50156 50154->50153 50155->50156 50161 484fd9 __EH_prolog3 50156->50161 50158 464e79 50176 484149 __EH_prolog3 Mailbox 50158->50176 50160 464eb1 Mailbox 50162 484fec 50161->50162 50163 401bab 4 API calls 50162->50163 50164 48501a 50163->50164 50177 484584 __EH_prolog3 50164->50177 50166 485028 50167 48502c 50166->50167 50168 485052 50166->50168 50169 401bab 4 API calls 50167->50169 50187 484443 __EH_prolog3 50168->50187 50171 48503c 50169->50171 50173 401bab 4 API calls 50171->50173 50172 485059 50172->50171 50174 401bab 4 API calls 50172->50174 50175 48508e Mailbox 50173->50175 50174->50171 50175->50158 50176->50160 50178 484597 50177->50178 50179 4845b6 50178->50179 50185 4845d4 Mailbox 50178->50185 50180 401bab 4 API calls 50179->50180 50183 4845c8 Mailbox 50180->50183 50181 401bab 4 API calls 50181->50183 50182 48461d 50184 401bab 4 API calls 50182->50184 50183->50166 50184->50183 50185->50182 50186 4845d9 50185->50186 50186->50181 50186->50183 50188 484456 50187->50188 50198 4825af __EH_prolog3 50188->50198 50190 4844b1 50191 4844c9 _strlen 50190->50191 50193 484520 Mailbox 50190->50193 50192 4844e2 50191->50192 50194 484522 50192->50194 50195 484500 50192->50195 50193->50172 50204 44a1cc 22 API calls Mailbox 50194->50204 50200 44a6e6 __EH_prolog3 50195->50200 50199 4825c4 Mailbox 50198->50199 50199->50190 50201 44a700 50200->50201 50205 44a06a __EH_prolog3_GS FindFirstFileA 50201->50205 50203 44a726 Mailbox 50203->50193 50204->50193 50206 44a096 50205->50206 50207 44a0cc Mailbox 50205->50207 50210 449fca __EH_prolog3 50206->50210 50207->50203 50211 449ff0 Mailbox 50210->50211 50212 449eee 3 API calls 50211->50212 50213 44a035 50212->50213 50214 449eee 3 API calls 50213->50214 50215 44a042 50214->50215 50216 449eee 3 API calls 50215->50216 50218 4c1959 50219 4c1913 50218->50219 50220 4c191c GetMessageA 50219->50220 50221 4c1953 50220->50221 50222 4c1931 50220->50222 50222->50221 50223 4c1945 TranslateMessage DispatchMessageA 50222->50223 50223->50221 50224 5d7748 50225 5d7750 50224->50225 50228 5b9a7f 50225->50228 50227 5d7765 50229 5b9aa3 50228->50229 50239 5b9a8f 50228->50239 50245 5c0783 TlsGetValue 50229->50245 50234 5b9b06 50235 5b4c17 _free 2 API calls 50234->50235 50237 5b9b0c 50235->50237 50237->50239 50240 5b9b11 __dosmaperr 50237->50240 50239->50227 50240->50239 50242 5b9acb CreateThread 50242->50239 50244 5b9afe GetLastError 50242->50244 50292 5b9a1a 50242->50292 50244->50234 50246 5c0798 RtlDecodePointer TlsSetValue 50245->50246 50247 5b9aa9 50245->50247 50246->50247 50248 5c4e61 50247->50248 50249 5c4e6a 50248->50249 50250 5b9ab5 50249->50250 50251 5c4e88 Sleep 50249->50251 50250->50234 50253 5c093e 50250->50253 50252 5c4e9d 50251->50252 50252->50249 50252->50250 50270 5c08c5 GetLastError 50253->50270 50255 5c0946 50256 5b9ac2 50255->50256 50257 5b62b1 __amsg_exit 71 API calls 50255->50257 50258 5c0811 50256->50258 50257->50256 50259 5b9b20 50258->50259 50260 5c081d GetModuleHandleW 50259->50260 50261 5c43d8 __lock 71 API calls 50260->50261 50262 5c085b InterlockedIncrement 50261->50262 50284 5c08b3 50262->50284 50265 5c43d8 __lock 71 API calls 50266 5c087c ___addlocaleref 50265->50266 50287 5c08bc 50266->50287 50269 5c08a7 50269->50242 50271 5c0783 ___set_flsgetvalue 3 API calls 50270->50271 50272 5c08dc 50271->50272 50273 5c0932 SetLastError 50272->50273 50274 5c4e61 __calloc_crt Sleep 50272->50274 50273->50255 50275 5c08f0 50274->50275 50275->50273 50276 5c08f8 RtlDecodePointer 50275->50276 50277 5c090d 50276->50277 50278 5c0929 50277->50278 50279 5c0911 50277->50279 50281 5b4c17 _free 2 API calls 50278->50281 50280 5c0811 __initptd 74 API calls 50279->50280 50282 5c0919 GetCurrentThreadId 50280->50282 50283 5c092f 50281->50283 50282->50273 50283->50273 50290 5c42ff RtlLeaveCriticalSection 50284->50290 50286 5c0875 50286->50265 50291 5c42ff RtlLeaveCriticalSection 50287->50291 50289 5c08c3 50289->50269 50290->50286 50291->50289 50293 5c0783 ___set_flsgetvalue 3 API calls 50292->50293 50294 5b9a25 __threadstartex@4 50293->50294 50307 5c0763 TlsGetValue 50294->50307 50297 5b9a5e 50309 5c0958 50297->50309 50298 5b9a34 __threadstartex@4 50351 5c07b7 RtlDecodePointer 50298->50351 50308 5b9a30 50307->50308 50308->50297 50308->50298 50366 5b8bcd 50369 5b8b91 50366->50369 50368 5b8bda 50370 5b8b9d 50369->50370 50377 5b6027 50370->50377 50376 5b8bbe 50376->50368 50378 5c43d8 __lock 71 API calls 50377->50378 50379 5b602e 50378->50379 50380 5b8aaa RtlDecodePointer RtlDecodePointer 50379->50380 50381 5b8b59 50380->50381 50382 5b8ad8 50380->50382 50388 5b8bc7 RtlLeaveCriticalSection 50381->50388 50382->50381 50383 5b8b3c RtlEncodePointer RtlEncodePointer 50382->50383 50384 5b8b05 __realloc_crt 50382->50384 50385 5b8b14 50382->50385 50383->50381 50384->50385 50386 5b8b2a RtlEncodePointer 50384->50386 50385->50381 50387 5b8b1b __realloc_crt 50385->50387 50386->50383 50387->50381 50387->50386 50388->50376 50389 4bc0d3 50392 4bc0e2 50389->50392 50390 4bc11a DestroyWindow 50391 4bc0e7 50390->50391 50392->50390 50392->50391 50393 50a94d __EH_prolog3 50449 50a854 26 API calls 50393->50449 50395 50a98d 50397 50a963 50395->50397 50396 50aa63 50397->50395 50397->50396 50399 4d720b __EH_prolog3 GetSysColor 50397->50399 50400 4d722c GetSysColor 50399->50400 50401 4d7234 GetSysColor 50399->50401 50400->50401 50403 4d724f 50401->50403 50404 4d7247 GetSysColor 50401->50404 50405 4d7267 22 API calls 50403->50405 50404->50403 50406 4d7337 50405->50406 50407 4d7342 GetSysColor 50405->50407 50408 4d7354 GetSysColorBrush 50406->50408 50407->50408 50409 4d736f 50408->50409 50410 4d7374 GetSysColorBrush 50408->50410 50409->50410 50441 4d74f1 CreateSolidBrush 50409->50441 50443 4b7f10 Mailbox DeleteObject 50409->50443 50444 4d756c 50409->50444 50450 4b7f10 50409->50450 50454 4d62b9 _memset GetSysColor CreateDIBitmap 50409->50454 50410->50409 50411 4d7386 GetSysColorBrush 50410->50411 50411->50409 50413 4d73a3 CreateSolidBrush 50414 4d73ba 50413->50414 50415 4b7f10 Mailbox DeleteObject 50414->50415 50416 4d73c5 CreateSolidBrush 50415->50416 50417 4d73d6 50416->50417 50418 4b7f10 Mailbox DeleteObject 50417->50418 50419 4d73e1 CreateSolidBrush 50418->50419 50420 4d73f2 50419->50420 50421 4b7f10 Mailbox DeleteObject 50420->50421 50422 4d73fd CreateSolidBrush 50421->50422 50423 4d740e 50422->50423 50424 4b7f10 Mailbox DeleteObject 50423->50424 50425 4d7419 CreateSolidBrush 50424->50425 50426 4d742a 50425->50426 50427 4b7f10 Mailbox DeleteObject 50426->50427 50428 4d7435 CreateSolidBrush 50427->50428 50429 4d7446 50428->50429 50430 4b7f10 Mailbox DeleteObject 50429->50430 50431 4d7451 CreateSolidBrush 50430->50431 50432 4d7462 50431->50432 50433 4b7f10 Mailbox DeleteObject 50432->50433 50434 4d746d CreatePen 50433->50434 50435 4d748b 50434->50435 50436 4b7f10 Mailbox DeleteObject 50435->50436 50437 4d7496 CreatePen 50436->50437 50438 4d74ae 50437->50438 50447 4d7551 50441->50447 50443->50409 50445 4d7585 CreatePatternBrush 50444->50445 50446 4d7596 50445->50446 50455 4025a1 __EH_prolog3_catch_GS 50446->50455 50447->50396 50449->50397 50451 4b7f19 50450->50451 50452 4b7f16 50450->50452 50453 4b7f1e DeleteObject 50451->50453 50452->50413 50453->50413 50454->50409 50456 4b7f10 Mailbox DeleteObject 50455->50456 50457 4025bf 50456->50457 50457->50447 50458 4b3cd5 __EH_prolog3_catch 50459 4b3cee 50458->50459 50460 4b3cf8 50459->50460 50468 494c11 __EH_prolog3 50459->50468 50473 49b6ee __EH_prolog3 50459->50473 50478 493ca8 __EH_prolog3 50459->50478 50483 43b5e3 50459->50483 50489 4a54e7 __EH_prolog3 50459->50489 50492 497c42 __EH_prolog3 50459->50492 50495 49b260 __EH_prolog3 50459->50495 50469 4b3c8a Mailbox 5 API calls 50468->50469 50470 494c27 50469->50470 50471 494c3b 50470->50471 50500 494bcd __EH_prolog3 50470->50500 50471->50460 50474 4b3c8a Mailbox 5 API calls 50473->50474 50475 49b704 50474->50475 50477 49b718 50475->50477 50624 49b6bf __EH_prolog3 50475->50624 50477->50460 50479 4b3c8a Mailbox 5 API calls 50478->50479 50480 493cbe 50479->50480 50482 493cd2 50480->50482 50647 492e91 __EH_prolog3 50480->50647 50482->50460 50484 43b5fc 50483->50484 50485 43b686 __EH_prolog3 50484->50485 50486 43b664 50484->50486 50487 4b3c8a Mailbox 5 API calls 50485->50487 50486->50460 50488 43b69a 50487->50488 50488->50460 50490 4b3c8a Mailbox 5 API calls 50489->50490 50491 4a54fd 50490->50491 50491->50460 50493 4b3c8a Mailbox 5 API calls 50492->50493 50494 497c58 50493->50494 50494->50460 50496 4b3c8a Mailbox 5 API calls 50495->50496 50497 49b276 50496->50497 50498 49b28a 50497->50498 50682 49b21c __EH_prolog3 50497->50682 50498->50460 50501 494be3 50500->50501 50504 493e5a __EH_prolog3 50501->50504 50563 495d98 __EH_prolog3 50504->50563 50564 495dae 50563->50564 50565 4b3c8a Mailbox 5 API calls 50564->50565 50566 495db5 50565->50566 50567 495dc9 50566->50567 50611 4a26f3 __EH_prolog3_GS 50566->50611 50569 401bab 4 API calls 50567->50569 50570 495dec 50569->50570 50571 43a2c6 __EH_prolog3 50570->50571 50572 495df8 Mailbox 50571->50572 50573 4c1346 5 API calls 50572->50573 50574 495e3d 50573->50574 50575 4b3c8a Mailbox 5 API calls 50574->50575 50576 495e44 50575->50576 50577 495e5a 50576->50577 50612 4a26f3 __EH_prolog3_GS 50576->50612 50579 401bab 4 API calls 50577->50579 50580 495e81 50579->50580 50581 43a2c6 __EH_prolog3 50580->50581 50582 495e90 Mailbox 50581->50582 50583 4c1346 5 API calls 50582->50583 50584 495ed3 50583->50584 50585 4b3c8a Mailbox 5 API calls 50584->50585 50586 495eda 50585->50586 50587 495ef0 50586->50587 50613 4a26f3 __EH_prolog3_GS 50586->50613 50589 401bab 4 API calls 50587->50589 50590 495f17 50589->50590 50591 43a2c6 __EH_prolog3 50590->50591 50592 495f26 Mailbox 50591->50592 50593 4c1346 5 API calls 50592->50593 50594 495f6c 50593->50594 50611->50567 50612->50577 50613->50587 50625 49b6d5 50624->50625 50628 49b2e6 __EH_prolog3 50625->50628 50627 49b6e6 50627->50477 50629 495d98 12 API calls 50628->50629 50630 49b2fc 50629->50630 50631 4b3c8a Mailbox 5 API calls 50630->50631 50632 49b30a 50631->50632 50633 401bab 4 API calls 50632->50633 50634 49b341 50633->50634 50635 43a2c6 __EH_prolog3 50634->50635 50636 49b34d Mailbox 50635->50636 50637 4c1346 5 API calls 50636->50637 50638 49b393 50637->50638 50639 4b3c8a Mailbox 5 API calls 50638->50639 50640 49b39a 50639->50640 50641 401bab 4 API calls 50640->50641 50642 49b3d7 50641->50642 50643 43a2c6 __EH_prolog3 50642->50643 50644 49b3e6 Mailbox 50643->50644 50645 4c1346 5 API calls 50644->50645 50646 49b42d 50645->50646 50646->50627 50648 492ea7 50647->50648 50651 49247f __EH_prolog3 50648->50651 50650 492ed6 50650->50482 50652 495d98 12 API calls 50651->50652 50653 492492 50652->50653 50677 492382 __EH_prolog3 50653->50677 50655 4924af 50656 4b3c8a Mailbox 5 API calls 50655->50656 50657 4924c9 50656->50657 50658 401bab 4 API calls 50657->50658 50659 4924fe 50658->50659 50660 43a2c6 __EH_prolog3 50659->50660 50661 49250a Mailbox 50660->50661 50662 4c1346 5 API calls 50661->50662 50664 492553 Mailbox 50662->50664 50663 43a2c6 __EH_prolog3 50663->50664 50664->50663 50665 4c1346 __FF_MSGBANNER __NMSG_WRITE RtlAllocateHeap ___crtCorExitProcess ExitProcess 50664->50665 50666 4b3c8a 5 API calls Mailbox 50664->50666 50668 492878 50664->50668 50681 4a26f3 __EH_prolog3_GS 50664->50681 50665->50664 50666->50664 50669 4b3c8a Mailbox 5 API calls 50668->50669 50670 49287f 50669->50670 50671 401bab 4 API calls 50670->50671 50672 4928bc 50671->50672 50673 43a2c6 __EH_prolog3 50672->50673 50674 4928c8 Mailbox 50673->50674 50675 4c1346 5 API calls 50674->50675 50676 492915 50675->50676 50676->50650 50679 49239a Mailbox 50677->50679 50678 40258d _vwprintf _vswprintf_s 50678->50679 50679->50678 50680 492479 50679->50680 50680->50655 50681->50664 50683 49b232 50682->50683 50686 49a6f5 __EH_prolog3 50683->50686 50687 495d98 12 API calls 50686->50687 50688 49a70b 50687->50688 50689 4019b2 3 API calls 50688->50689 50690 49a722 50689->50690 50691 4b3c8a Mailbox 5 API calls 50690->50691 50692 49a731 50691->50692 50693 401bab 4 API calls 50692->50693 50694 49a766 50693->50694 50695 43a2c6 __EH_prolog3 50694->50695 50696 49a772 Mailbox 50695->50696 50697 4c1346 5 API calls 50696->50697 50698 49a7b5 50697->50698 50699 4b3c8a Mailbox 5 API calls 50698->50699 50700 49a7bc 50699->50700 50701 401bab 4 API calls 50700->50701 50702 49a7f9 50701->50702 50703 43a2c6 __EH_prolog3 50702->50703 50704 49a808 Mailbox 50703->50704 50705 4c1346 5 API calls 50704->50705 50706 49a84f 50705->50706 50707 4b3c8a Mailbox 5 API calls 50706->50707 50708 49a859 50707->50708 50709 4c1346 5 API calls 50708->50709 50710 49a8a3 50709->50710 50711 4b3c8a Mailbox 5 API calls 50710->50711 50712 49a8aa 50711->50712 50713 49a8c0 50712->50713 50731 4a87fa _memmove_s _memcpy_s _strlen __EH_prolog3 50712->50731 50715 401bab 4 API calls 50713->50715 50716 49a8e7 50715->50716 50731->50713 50733 4921d7 50736 48c40e 50733->50736 50735 4921e8 50737 48c4a1 50736->50737 50741 48c423 50736->50741 50744 4019d8 __EH_prolog3_GS 50737->50744 50739 48c4c1 50740 4019d8 20 API calls 50739->50740 50742 48c4d7 50740->50742 50741->50735 50755 495b62 __EH_prolog3 50742->50755 50745 4019fd 50744->50745 50746 401a99 50745->50746 50747 401a0d 50745->50747 50748 4b592f 17 API calls 50746->50748 50811 4b592f 50747->50811 50750 401a35 50748->50750 50751 401a41 50750->50751 50754 401a5a Mailbox 50750->50754 50828 4b61e9 11 API calls Mailbox 50750->50828 50823 401614 50751->50823 50754->50739 50756 495b75 50755->50756 50757 401bab 4 API calls 50756->50757 50758 495b86 50757->50758 50759 401bab 4 API calls 50758->50759 50760 495b96 50759->50760 50761 401bab 4 API calls 50760->50761 50762 495baa 50761->50762 50763 401bab 4 API calls 50762->50763 50764 495bc7 50763->50764 50765 401bab 4 API calls 50764->50765 50766 495bda 50765->50766 50767 401bab 4 API calls 50766->50767 50768 495bee 50767->50768 50769 401bab 4 API calls 50768->50769 50770 495c08 50769->50770 50771 401bab 4 API calls 50770->50771 50772 495c1b 50771->50772 50773 401bab 4 API calls 50772->50773 50774 495c2f 50773->50774 50775 401bab 4 API calls 50774->50775 50776 495c49 50775->50776 50777 401bab 4 API calls 50776->50777 50778 495c5c 50777->50778 50779 401bab 4 API calls 50778->50779 50780 495c70 50779->50780 50812 4b5948 50811->50812 50820 4b5941 50811->50820 50813 4b595e 50812->50813 50812->50820 50834 4b61e9 11 API calls Mailbox 50812->50834 50815 40a123 Mailbox _memcpy_s 50813->50815 50816 4b5978 50815->50816 50817 4b59bc 50816->50817 50816->50820 50829 4c1d01 50816->50829 50818 4b5a11 50817->50818 50817->50820 50821 4c1d01 13 API calls 50817->50821 50819 40a123 Mailbox _memcpy_s 50818->50819 50819->50820 50820->50750 50821->50817 50824 401622 50823->50824 50826 401650 50824->50826 50836 401437 50824->50836 50827 40165d _memcpy_s 50826->50827 50827->50754 50828->50751 50830 4c1d0f 50829->50830 50831 4c1d13 ReadFile 50829->50831 50830->50816 50831->50830 50832 4c1d2c GetLastError 50831->50832 50835 4cc596 11 API calls 50832->50835 50834->50813 50835->50830 50837 401441 50836->50837 50838 40147c _memcpy_s 50837->50838 50839 40149a Mailbox 50838->50839 50839->50826 50856 5d31f9 __EH_prolog3_catch 50857 5d328f 50856->50857 50858 5d3216 TlsGetValue 50856->50858 50858->50857 50859 5d3224 50858->50859 50860 4b3c8a Mailbox 5 API calls 50859->50860 50861 5d322e 50860->50861 50862 5d3245 TlsSetValue 50861->50862 50863 5d326f RtlEnterCriticalSection 50862->50863 50864 5d3258 GetLastError __CxxThrowException 50862->50864 50865 5d2b8f 50863->50865 50864->50863 50866 5d3288 RtlLeaveCriticalSection 50865->50866 50866->50857 50867 41eae7 50868 401bab 4 API calls 50867->50868 50869 41eafb 50868->50869 51037 41e284 __EH_prolog3 50869->51037 50871 41eb09 50872 401bab 4 API calls 50871->50872 50873 41eb40 50872->50873 50874 40c544 2 API calls 50873->50874 50875 41eb51 50874->50875 50876 41f0c9 GetModuleFileNameA 50875->50876 50878 401bab 4 API calls 50875->50878 50877 40258d 2 API calls 50876->50877 50984 41f02e Mailbox 50877->50984 50879 41eb73 50878->50879 50880 41e284 7 API calls 50879->50880 50881 41eb81 50880->50881 50882 41eb90 50881->50882 50885 41ebb9 Mailbox 50881->50885 51120 4c09fd 29 API calls Mailbox 50882->51120 50886 41ebfa GetFileAttributesA 50885->50886 50887 41ec10 50886->50887 50888 41ec6d 50886->50888 50889 401bab 4 API calls 50887->50889 50894 41ece4 GetModuleFileNameA 50888->50894 50905 41ec85 Mailbox 50888->50905 50891 41ec2a 50889->50891 50890 41f170 GetModuleFileNameA 50892 41f18a 50890->50892 50893 40258d 2 API calls 50891->50893 50896 401bab 4 API calls 50892->50896 50895 41ec4a 50893->50895 50900 41ecfd 50894->50900 51121 4c09fd 29 API calls Mailbox 50895->51121 50898 41f1a4 50896->50898 50899 44a06a 7 API calls 50898->50899 50901 41f1af 50899->50901 50902 40258d 2 API calls 50900->50902 50903 4019b2 3 API calls 50901->50903 50906 41ed26 50902->50906 50904 41f1d8 __splitpath_s 50903->50904 50907 4019b2 3 API calls 50904->50907 50905->50894 50908 41f0b3 50906->50908 50911 41ed3f Mailbox 50906->50911 50909 41f218 50907->50909 50908->50876 50910 40258d 2 API calls 50909->50910 50920 41f25e Mailbox 50910->50920 50912 401bab 4 API calls 50911->50912 50913 41ed8e 50912->50913 50915 41e284 7 API calls 50913->50915 50914 401bab 4 API calls 50916 41f2e7 50914->50916 50917 41eda0 50915->50917 50918 41e284 7 API calls 50916->50918 50921 41edc7 Mailbox 50917->50921 51122 4c09fd 29 API calls Mailbox 50917->51122 50927 41f2f9 50918->50927 50920->50914 51123 5b8a7e 15 API calls strtoxq 50921->51123 50923 41edfe Mailbox 50924 401bab 4 API calls 50923->50924 50925 41ee3a 50924->50925 50926 41e284 7 API calls 50925->50926 50928 41ee4c 50926->50928 50929 41f51b _strlen 50927->50929 50930 41f34b _strlen 50927->50930 50942 41ee6e Mailbox 50928->50942 51124 40c4ce _LocaleUpdate::_LocaleUpdate _strlen _strlen 50928->51124 50933 40181f 2 API calls 50929->50933 50932 40181f 2 API calls 50930->50932 50931 401bab 4 API calls 50935 41eece 50931->50935 50936 41f364 50932->50936 50937 41f534 50933->50937 50938 41e284 7 API calls 50935->50938 50943 401bab 4 API calls 50936->50943 50939 41f542 50937->50939 50945 41f596 50937->50945 51131 4c09fd 29 API calls Mailbox 50939->51131 50942->50931 50946 41f387 50943->50946 51132 41c9d7 52 API calls Mailbox 50945->51132 50948 41e284 7 API calls 50946->50948 50956 41f399 Mailbox 50948->50956 50951 41f5e2 50952 41f633 50951->50952 50953 41f5e6 50951->50953 50984->50890 50991 41ff91 50984->50991 51147 4c09fd 29 API calls Mailbox 50991->51147 51035 41eba6 Mailbox 51041 41e2a0 51037->51041 51038 4019b2 3 API calls 51038->51041 51039 41e34d Mailbox 51039->50871 51041->51038 51041->51039 51148 40c4ce _LocaleUpdate::_LocaleUpdate _strlen _strlen 51041->51148 51120->51035 51121->51035 51122->50921 51123->50923 51124->50942 51131->51035 51132->50951 51147->51035 51148->51041 51891 437565 __EH_prolog3 51892 401bab 4 API calls 51891->51892 51893 43759e 51892->51893 51894 40c578 4 API calls 51893->51894 51895 4375af 51894->51895 51896 401bab 4 API calls 51895->51896 51897 4375d2 51896->51897 51898 43c227 9 API calls 51897->51898 51903 4375e7 51898->51903 51899 401bab 4 API calls 51906 437611 Mailbox 51899->51906 51900 437980 Mailbox 51901 43c227 9 API calls 51901->51906 51903->51906 51943 42442b 6 API calls Mailbox 51903->51943 51906->51899 51906->51900 51906->51901 51907 4359a7 __EH_prolog3_GS 51906->51907 51944 42442b 6 API calls Mailbox 51906->51944 51908 4359c6 Mailbox 51907->51908 51909 4359d0 51907->51909 51908->51906 51909->51908 51910 435a20 GetLogicalDriveStringsA 51909->51910 51912 435ae5 51910->51912 51914 435a4b Mailbox 51910->51914 51911 435c25 51915 435c3d GetDriveTypeA 51911->51915 51912->51911 51913 401bab 4 API calls 51912->51913 51916 435b0c Mailbox 51913->51916 51914->51912 51951 4b651e __FF_MSGBANNER __NMSG_WRITE RtlAllocateHeap ___crtCorExitProcess ExitProcess 51914->51951 51941 435c5c Mailbox 51915->51941 51916->51911 51918 435b48 51916->51918 51919 401bab 4 API calls 51918->51919 51934 435bfe Mailbox 51918->51934 51920 435b6a 51919->51920 51921 43c227 9 API calls 51920->51921 51922 435b82 51921->51922 51923 401bab 4 API calls 51922->51923 51924 435b97 51923->51924 51925 43c227 9 API calls 51924->51925 51926 435baf 51925->51926 51928 405b1f 3 API calls 51926->51928 51929 435bdf MessageBoxA 51928->51929 51929->51934 51930 435fe3 51931 40c75b 4 API calls 51930->51931 51930->51934 51932 436004 51931->51932 51952 43a00f __EH_prolog3 51932->51952 51935 40c75b _memcpy_s _memcpy_s __EH_prolog3 _strlen 51935->51941 51936 401bab _memmove_s _memcpy_s _strlen __EH_prolog3 51936->51941 51937 43c227 9 API calls 51937->51941 51938 40258d 2 API calls 51938->51941 51939 43c227 9 API calls 51940 435ed6 MessageBoxA 51939->51940 51940->51941 51941->51930 51941->51934 51941->51935 51941->51936 51941->51937 51941->51938 51941->51939 51942 43a00f _vwprintf _vswprintf_s __EH_prolog3 51941->51942 51945 44c22c GetModuleHandleA 51941->51945 51942->51941 51943->51903 51944->51906 51946 44c244 GetProcAddress 51945->51946 51947 44c27b GetDiskFreeSpaceA 51945->51947 51946->51947 51948 44c254 GetDiskFreeSpaceExA 51946->51948 51950 44c298 strtoxq 51947->51950 51949 44c26c 51948->51949 51949->51941 51950->51949 51951->51914 51953 43a028 51952->51953 51954 43a087 Mailbox 51952->51954 51955 43a08c 51953->51955 51958 43a040 51953->51958 51954->51934 51956 40258d 2 API calls 51955->51956 51956->51954 51957 40258d 2 API calls 51957->51954 51958->51954 51958->51957 51959 48c3ef 51962 48bd00 __EH_prolog3 51959->51962 51961 48c3fa 51977 48b135 51962->51977 51965 4b7f10 Mailbox DeleteObject 51966 48bd2e 51965->51966 51967 4b7f10 Mailbox DeleteObject 51966->51967 51968 48bd39 51967->51968 51969 4b7f10 Mailbox DeleteObject 51968->51969 51970 48bd44 51969->51970 51971 4025a1 Mailbox 2 API calls 51970->51971 51972 48bd61 51971->51972 51973 4025a1 Mailbox 2 API calls 51972->51973 51974 48bda3 51973->51974 51975 4025a1 Mailbox 2 API calls 51974->51975 51976 48bdb4 Mailbox 51975->51976 51976->51961 51979 48b13f 51977->51979 51978 48b195 51978->51965 51979->51978 51981 43b559 51979->51981 51984 43b4ce __EH_prolog3 51981->51984 51983 43b564 51983->51979 51985 43b4f3 51984->51985 51988 43b94c __EH_prolog3 51985->51988 51987 43b526 51987->51983 51991 4c26b9 51988->51991 51990 43b976 Mailbox 51990->51987 51997 4c26cc 51991->51997 51992 4c26ff 51995 4b3c8a Mailbox 5 API calls 51992->51995 51993 4c271f 51994 4c26df 51993->51994 51996 4c2726 _memset 51993->51996 51994->51990 51998 4c2705 _memset 51995->51998 51996->51994 51997->51992 51997->51993 51997->51994 51999 4c2782 51997->51999 51998->51994 52000 4b3c8a Mailbox 5 API calls 51999->52000 52001 4c278a 52000->52001 52002 40a123 Mailbox _memcpy_s 52001->52002 52003 4c279b _memset 52002->52003 52003->51994 52004 4b6a67 52005 4c3262 Mailbox 17 API calls 52004->52005 52006 4b6a72 52005->52006 52011 4c07ea 6 API calls 52006->52011 52008 4b6a9c 52012 4be3ef 52008->52012 52010 4b6aa4 52011->52008 52013 4d303f Mailbox 16 API calls 52012->52013 52014 4be405 52013->52014 52015 4be41e GetCurrentThreadId SetWindowsHookExA 52014->52015 52016 4be43b 52014->52016 52015->52016 52016->52010 52017 42736f 52018 40c75b 4 API calls 52017->52018 52019 427378 52018->52019 52020 43a00f 3 API calls 52019->52020 52021 427396 Mailbox 52020->52021 52022 4273fd 52021->52022 52032 4274c9 52021->52032 52023 401bab 4 API calls 52022->52023 52026 42740a 52023->52026 52024 427699 lua_close 52025 4276c6 Mailbox 52024->52025 52029 427790 RemoveDirectoryA 52025->52029 52030 4276d7 Mailbox 52025->52030 52027 42742a _strlen 52026->52027 52031 427440 52027->52031 52028 427690 52028->52024 52033 4277ac Mailbox 52029->52033 52030->52029 52034 4276f4 DeleteFileA 52030->52034 52036 40c75b 4 API calls 52030->52036 52042 43a00f 3 API calls 52030->52042 52035 42744e DeleteFileA 52031->52035 52032->52024 52032->52028 52040 4274ab Mailbox 52032->52040 52034->52030 52037 427481 52035->52037 52038 427468 52035->52038 52036->52030 52041 40c75b 4 API calls 52037->52041 52039 40c75b 4 API calls 52038->52039 52045 42746d 52039->52045 52040->52032 52043 405b1f 3 API calls 52040->52043 52044 427486 GetLastError 52041->52044 52042->52030 52046 42759c Mailbox 52043->52046 52044->52045 52047 43a00f 3 API calls 52045->52047 52048 4275ba GetFileAttributesA 52046->52048 52047->52040 52049 4275c8 DeleteFileA 52048->52049 52050 4275da 52049->52050 52051 40c75b 4 API calls 52050->52051 52052 4275e3 52051->52052 52053 43a00f 3 API calls 52052->52053 52054 427601 Mailbox 52053->52054 52054->52028 52055 477d73 __EH_prolog3 52056 477d88 52055->52056 52070 454035 __EH_prolog3 GetCurrentProcessId 52056->52070 52058 477d96 52074 444467 52058->52074 52060 477e57 lua_pushnil 52061 477e5e 52060->52061 52120 454079 __EH_prolog3 52061->52120 52062 477da1 52064 477dc8 lua_createtable 52062->52064 52066 477e27 Mailbox 52062->52066 52064->52066 52068 477ddb 52064->52068 52065 477e6a 52066->52060 52066->52061 52068->52066 52069 477dfb lua_pushnumber lua_pushstring lua_settable 52068->52069 52089 4445c9 52068->52089 52069->52068 52071 454066 52070->52071 52125 44444a 52071->52125 52073 454071 52073->52058 52075 444474 52074->52075 52076 44444a Mailbox 4 API calls 52075->52076 52077 444486 52076->52077 52138 44416c 52077->52138 52080 44449d K32EnumProcesses 52082 4444ba 52080->52082 52085 4444ed 52080->52085 52081 4444ef 52083 44450f _memset 52081->52083 52081->52085 52082->52085 52151 4443f9 _memcpy_s _memset _memset _memset Mailbox 52082->52151 52087 44453c 52083->52087 52085->52062 52086 444561 CloseHandle 52086->52085 52087->52086 52152 4443f9 _memcpy_s _memset _memset _memset Mailbox 52087->52152 52153 5b63f0 52089->52153 52092 444627 52094 44416c 13 API calls 52092->52094 52093 4445f8 52095 444605 GetModuleFileNameA 52093->52095 52096 44462e 52094->52096 52097 444620 52095->52097 52098 4447ec 52096->52098 52099 44463c LoadLibraryA 52096->52099 52105 4446db 52097->52105 52098->52105 52108 444803 _memset 52098->52108 52100 4446f8 OpenProcess 52099->52100 52101 44465a GetProcAddress 52099->52101 52102 444732 EnumProcessModules 52100->52102 52111 4446c9 52100->52111 52103 444670 OpenProcess 52101->52103 52104 4446ec FreeLibrary 52101->52104 52106 444794 _memset GetModuleFileNameExA 52102->52106 52107 444750 CloseHandle 52102->52107 52103->52104 52109 444689 _memset QueryFullProcessImageNameA 52103->52109 52104->52100 52105->52068 52112 4019b2 3 API calls 52106->52112 52107->52097 52115 444837 52108->52115 52110 4446e0 FindCloseChangeNotification 52109->52110 52109->52111 52110->52104 52111->52105 52113 4019b2 3 API calls 52111->52113 52114 4447db CloseHandle 52112->52114 52113->52105 52114->52105 52116 44485b CloseHandle 52115->52116 52117 44485d 52115->52117 52116->52105 52119 4019b2 3 API calls 52117->52119 52119->52116 52121 44444a Mailbox 4 API calls 52120->52121 52122 45409c 52121->52122 52155 444138 FreeLibrary 52122->52155 52124 4540af 52124->52065 52128 4442c0 52125->52128 52127 444461 52127->52073 52130 4442ce 52128->52130 52129 444307 52134 44431b _memset 52129->52134 52130->52129 52131 44433e 52130->52131 52132 4442e1 52130->52132 52135 4443a3 52130->52135 52131->52132 52133 444349 _memset 52131->52133 52132->52127 52133->52132 52134->52132 52136 40a123 Mailbox _memcpy_s 52135->52136 52137 4443c5 _memset 52136->52137 52137->52132 52139 444183 52138->52139 52146 44417b 52138->52146 52140 44418d LoadLibraryA 52139->52140 52141 44420b GetModuleHandleA 52139->52141 52144 4441a5 GetProcAddress GetProcAddress GetProcAddress 52140->52144 52140->52146 52142 444224 LoadLibraryA 52141->52142 52143 444238 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 52141->52143 52145 444235 52142->52145 52142->52146 52149 444287 52143->52149 52147 4441f4 FreeLibrary 52144->52147 52148 4441e4 52144->52148 52145->52143 52146->52080 52146->52081 52146->52085 52147->52146 52148->52146 52148->52147 52149->52146 52150 4442b2 FreeLibrary 52149->52150 52150->52146 52151->52082 52152->52087 52154 4445d6 GetCurrentProcessId 52153->52154 52154->52092 52154->52093 52155->52124 52156 40f67a 52162 42ca05 __EH_prolog3 52156->52162 52163 42ca43 52162->52163 52164 401bab 4 API calls 52163->52164 52165 42ca9a 52164->52165 52166 401bab 4 API calls 52165->52166 52167 42cac3 52166->52167 52168 401bab 4 API calls 52167->52168 52169 42caec 52168->52169 52170 40c505 2 API calls 52169->52170 52171 42cb00 52170->52171 52336 4065d1 __EH_prolog3 52171->52336 52173 42cb16 52174 401bab 4 API calls 52173->52174 52175 42cb27 52174->52175 52176 40c544 2 API calls 52175->52176 52177 42cb38 52176->52177 52178 40c75b 4 API calls 52177->52178 52179 42cb6c 52178->52179 52180 43a00f 3 API calls 52179->52180 52181 42cb8a Mailbox 52180->52181 52344 44d704 __EH_prolog3_GS 52181->52344 52183 42cbd6 52184 40c75b 4 API calls 52183->52184 52185 42cbe9 52184->52185 52186 43a00f 3 API calls 52185->52186 52187 42cc03 Mailbox 52186->52187 52188 401bab 4 API calls 52187->52188 52189 42cc2d 52188->52189 52190 401bab 4 API calls 52189->52190 52191 42cc58 52190->52191 52337 4065e4 52336->52337 52338 4065ed lua_createtable 52337->52338 52339 406768 lua_setfield 52338->52339 52343 406615 Mailbox 52338->52343 52341 40678b Mailbox 52339->52341 52340 401bab 4 API calls 52340->52343 52341->52173 52342 406718 lua_pushnumber lua_pushstring lua_settable 52342->52343 52343->52339 52343->52340 52343->52342 52345 401bab 4 API calls 52344->52345 52346 44d735 GetFileAttributesA 52345->52346 52347 44d74d lstrcpy 52346->52347 52349 44d804 Mailbox 52346->52349 52348 44d770 52347->52348 52348->52349 52350 5b4b83 _malloc 5 API calls 52348->52350 52349->52183 52351 44d780 52350->52351 52351->52349 52352 44d79b 73EE1500 52351->52352 52353 44d7b8 _memmove 52352->52353 52356 44d7fb 52352->52356 52355 40258d 2 API calls 52353->52355 52354 5b4c17 _free 2 API calls 52354->52349 52355->52356 52356->52354 52411 4bbbf7 52412 4bbc02 GetModuleHandleA 52411->52412 52413 4bbc26 52411->52413 52412->52413 52414 4bbc12 LoadLibraryA 52412->52414 52414->52413 52415 4d38f3 52416 4d38fe 52415->52416 52417 4d390c 52415->52417 52418 4c3c99 5 API calls 52416->52418 52418->52417 52419 466df8 __EH_prolog3 52420 466e0d 52419->52420 52421 401bab 4 API calls 52420->52421 52422 466e2d Mailbox 52421->52422 52425 44cbb0 __EH_prolog3_GS 52422->52425 52424 466e99 Mailbox 52426 40c62c 16 API calls 52425->52426 52427 44cbd5 52426->52427 52428 40c62c 16 API calls 52427->52428 52429 44cbeb 52428->52429 52441 40c6e5 52429->52441 52431 44cbf8 _strlen 52432 403c07 52431->52432 52433 44cc09 _memset 52432->52433 52434 44ccb0 Mailbox 52433->52434 52435 44cc36 Mailbox 52433->52435 52434->52424 52435->52434 52436 44cc86 SetCurrentDirectoryA 52435->52436 52439 44cd3c SetCurrentDirectoryA 52435->52439 52447 40c4ce _LocaleUpdate::_LocaleUpdate _strlen _strlen 52435->52447 52436->52435 52438 44cc97 CreateDirectoryA 52436->52438 52438->52435 52439->52435 52440 44cd4d CreateDirectoryA 52439->52440 52440->52435 52442 40c6f3 52441->52442 52443 40c747 52441->52443 52442->52443 52444 40c71c 52442->52444 52445 40c70d __mbsinc 52442->52445 52443->52431 52444->52443 52448 40c40d _memmove_s 52444->52448 52445->52442 52447->52435 52448->52443 52449 425cfd __EH_prolog3_GS 52450 425d4f 52449->52450 52451 44a8a2 27 API calls 52450->52451 52454 425d88 52450->52454 52455 425d82 52451->52455 52452 43a00f 3 API calls 52453 425f55 Mailbox 52452->52453 52454->52452 52454->52453 52455->52454 52456 425f04 Mailbox 52455->52456 52458 401bab 4 API calls 52455->52458 52457 43a00f 3 API calls 52456->52457 52457->52454 52459 425e76 52458->52459 52460 43c227 9 API calls 52459->52460 52461 425e8e Mailbox 52460->52461 52462 401bab 4 API calls 52461->52462 52463 425ec4 52462->52463 52464 43c227 9 API calls 52463->52464 52465 425edc MessageBoxA 52464->52465 52465->52456 52466 40c301 52470 40c312 52466->52470 52469 40c379 52484 40c23e 15 API calls 52469->52484 52470->52469 52472 40c3a0 52470->52472 52473 4b29ac _memmove_s RtlEnterCriticalSection RtlLeaveCriticalSection RtlLeaveCriticalSection WaitForSingleObject 52470->52473 52474 4b2894 __EH_prolog3_catch 52470->52474 52473->52470 52475 4b28ad RtlEnterCriticalSection 52474->52475 52477 4b28b9 52474->52477 52475->52477 52476 4b2904 52478 4b2908 RtlLeaveCriticalSection 52476->52478 52482 4b28e9 52476->52482 52477->52476 52479 4b28c8 52477->52479 52478->52482 52485 4d2a03 52479->52485 52481 4b28d9 52481->52482 52483 4b28e2 RtlLeaveCriticalSection 52481->52483 52482->52470 52483->52482 52484->52470 52486 4d2a18 52485->52486 52493 4d2a9d Mailbox 52485->52493 52487 4d2a26 52486->52487 52488 4d2a31 52486->52488 52486->52493 52496 4d2861 52487->52496 52490 4d2861 Mailbox 9 API calls 52488->52490 52491 4d2a3d 52490->52491 52509 40c40d _memmove_s 52491->52509 52493->52481 52494 4d2a63 _memset 52495 4d2a2f 52494->52495 52495->52481 52503 4d2874 52496->52503 52497 4d28a2 52498 4b3c8a Mailbox 5 API calls 52497->52498 52501 4d28ad _memset 52498->52501 52499 4d28c8 52500 4d2887 52499->52500 52502 4d28cf _memset 52499->52502 52500->52495 52501->52500 52502->52500 52503->52497 52503->52499 52503->52500 52504 4d2931 52503->52504 52505 4b3c8a Mailbox 5 API calls 52504->52505 52506 4d293a 52505->52506 52507 40a123 Mailbox _memcpy_s 52506->52507 52508 4d2953 _memset 52507->52508 52508->52500 52509->52494 52510 4d538c 52533 4d5333 52510->52533 52512 4d53a0 52513 4d5333 19 API calls 52512->52513 52514 4d53ab 52513->52514 52515 4d5333 19 API calls 52514->52515 52516 4d53bb 52515->52516 52517 4d5333 19 API calls 52516->52517 52518 4d53ca 52517->52518 52519 4d5333 19 API calls 52518->52519 52520 4d53d5 52519->52520 52521 4d5333 19 API calls 52520->52521 52522 4d53e0 52521->52522 52523 4d5333 19 API calls 52522->52523 52524 4d53eb 52523->52524 52525 4d5333 19 API calls 52524->52525 52526 4d53fb 52525->52526 52527 4d5333 19 API calls 52526->52527 52528 4d540d 52527->52528 52529 4d5333 19 API calls 52528->52529 52530 4d541c 52529->52530 52531 4d5333 19 API calls 52530->52531 52532 4d5427 52531->52532 52534 4c3262 Mailbox 17 API calls 52533->52534 52535 4d5350 52534->52535 52538 4babdd 52535->52538 52537 4d5360 52537->52512 52539 4babe9 52538->52539 52540 4c3262 Mailbox 17 API calls 52539->52540 52541 4babf7 ActivateActCtx 52540->52541 52542 4bac0e GetClassInfoA 52541->52542 52543 4bac0a 52541->52543 52542->52543 52543->52537 52550 472f83 __EH_prolog3 52551 472f98 52550->52551 52552 401bab 4 API calls 52551->52552 52553 472fb8 Mailbox 52552->52553 52554 401bab 4 API calls 52553->52554 52555 473008 lua_type 52554->52555 52556 473030 52555->52556 52557 47301d 52555->52557 52558 401bab 4 API calls 52556->52558 52562 4019b2 3 API calls 52557->52562 52559 47303e lua_type 52558->52559 52560 473063 52559->52560 52561 473050 52559->52561 52563 401bab 4 API calls 52560->52563 52565 4019b2 3 API calls 52561->52565 52562->52556 52564 47306c lua_type 52563->52564 52566 4730d0 lua_type 52564->52566 52567 47307e 52564->52567 52565->52560 52568 4730f7 lua_type 52566->52568 52571 4730e5 52566->52571 52570 4019b2 3 API calls 52567->52570 52569 47310a lua_type 52568->52569 52573 473118 52568->52573 52569->52573 52576 473091 Mailbox 52570->52576 52571->52568 52572 473131 _memset 52574 473157 52572->52574 52575 47315e ShellExecuteEx 52572->52575 52573->52572 52574->52575 52577 473193 52575->52577 52578 4731ef 52575->52578 52576->52566 52579 4731fd GetExitCodeProcess 52577->52579 52582 4731dd MsgWaitForMultipleObjects 52577->52582 52578->52579 52580 473213 52579->52580 52581 47321d CloseHandle 52579->52581 52580->52581 52583 473219 52580->52583 52584 47322f 52581->52584 52582->52578 52585 4731c8 PeekMessageA 52582->52585 52583->52581 52587 47323f lua_pushnumber 52584->52587 52585->52582 52586 4731a5 52585->52586 52586->52585 52588 4731b4 TranslateMessage DispatchMessageA 52586->52588 52589 473256 Mailbox 52587->52589 52588->52585 52590 40f386 52591 40f399 52590->52591 52592 40f3f7 GetSystemMetrics GetSystemMetrics 52591->52592 52593 40f3c9 52591->52593 52596 40f46e 52591->52596 52594 40f424 GetSystemMetrics GetSystemMetrics 52592->52594 52593->52594 52595 40f45b IsWindow 52594->52595 52594->52596 52595->52596 52597 473280 __EH_prolog3_GS 52598 47329e 52597->52598 52599 401bab 4 API calls 52598->52599 52600 4732e8 52599->52600 52815 45237e __EH_prolog3_GS 52600->52815 52602 47333d 52603 473f0c lua_pushstring 52602->52603 52604 473f2a Mailbox 52603->52604 52605 47330d Mailbox 52605->52602 52606 4733c2 52605->52606 52607 47372c 52605->52607 52610 4736e6 _strlen 52606->52610 52611 4733cb 52606->52611 52608 473735 52607->52608 52609 4738fd 52607->52609 52612 4738af _strlen 52608->52612 52613 47373b 52608->52613 52614 473906 52609->52614 52615 4739f3 _strlen 52609->52615 52618 40181f 2 API calls 52610->52618 52616 473574 52611->52616 52617 4733d4 52611->52617 52619 40181f 2 API calls 52612->52619 52620 473744 52613->52620 52621 473871 _strlen 52613->52621 52622 4739b0 _strlen 52614->52622 52623 47390f 52614->52623 52624 40181f 2 API calls 52615->52624 52628 47357d 52616->52628 52629 4736a8 _strlen 52616->52629 52625 473536 _strlen 52617->52625 52626 4733da 52617->52626 52627 473702 _strlen 52618->52627 52630 4738cb _strlen 52619->52630 52631 473833 _strlen 52620->52631 52632 47374c 52620->52632 52641 40181f 2 API calls 52621->52641 52633 40181f 2 API calls 52622->52633 52635 473912 52623->52635 52636 47396a _strlen 52623->52636 52638 473a0f _strlen 52624->52638 52637 40181f 2 API calls 52625->52637 52639 4733e2 52626->52639 52640 4734f8 _strlen 52626->52640 52642 40181f 2 API calls 52627->52642 52643 473586 52628->52643 52644 47366a _strlen 52628->52644 52634 40181f 2 API calls 52629->52634 52647 40181f 2 API calls 52630->52647 52655 40181f 2 API calls 52631->52655 52648 473755 52632->52648 52649 4737ed _strlen 52632->52649 52654 4739cc _strlen 52633->52654 52656 4736bc _strlen 52634->52656 52650 473924 _strlen 52635->52650 52738 473915 52635->52738 52651 40181f 2 API calls 52636->52651 52657 47354a _strlen 52637->52657 52658 40181f 2 API calls 52638->52658 52659 4733eb 52639->52659 52660 4734ba _strlen 52639->52660 52653 40181f 2 API calls 52640->52653 52661 473885 _strlen 52641->52661 52662 473716 _strlen 52642->52662 52645 473624 _strlen 52643->52645 52646 47358e 52643->52646 52652 40181f 2 API calls 52644->52652 52670 40181f 2 API calls 52645->52670 52664 473591 52646->52664 52665 4735de _strlen 52646->52665 52666 4738e7 _strlen 52647->52666 52667 47379f _strlen 52648->52667 52668 47375a 52648->52668 52673 40181f 2 API calls 52649->52673 52669 40181f 2 API calls 52650->52669 52672 473986 _strlen 52651->52672 52674 47367e _strlen 52652->52674 52675 47350c _strlen 52653->52675 52676 40181f 2 API calls 52654->52676 52677 473847 _strlen 52655->52677 52678 40181f 2 API calls 52656->52678 52679 40181f 2 API calls 52657->52679 52680 473a23 _strlen 52658->52680 52681 4733f3 52659->52681 52682 47347c _strlen 52659->52682 52671 40181f 2 API calls 52660->52671 52683 40181f 2 API calls 52661->52683 52663 473a34 52662->52663 52702 40181f 2 API calls 52663->52702 52684 473598 _strlen 52664->52684 52664->52738 52686 40181f 2 API calls 52665->52686 52666->52663 52689 40181f 2 API calls 52667->52689 52685 473761 _strlen 52668->52685 52668->52738 52688 473940 _strlen 52669->52688 52690 473640 _strlen 52670->52690 52691 4734ce _strlen 52671->52691 52692 40181f 2 API calls 52672->52692 52693 473809 _strlen 52673->52693 52694 40181f 2 API calls 52674->52694 52695 40181f 2 API calls 52675->52695 52696 4739e0 _strlen 52676->52696 52697 40181f 2 API calls 52677->52697 52698 4736d0 _strlen 52678->52698 52699 47355e _strlen 52679->52699 52680->52663 52700 47343e _strlen 52681->52700 52701 4733f8 52681->52701 52687 40181f 2 API calls 52682->52687 52703 473899 _strlen 52683->52703 52704 40181f 2 API calls 52684->52704 52706 40181f 2 API calls 52685->52706 52707 4735fa _strlen 52686->52707 52708 473490 _strlen 52687->52708 52709 40181f 2 API calls 52688->52709 52710 4737bb _strlen 52689->52710 52711 40181f 2 API calls 52690->52711 52712 40181f 2 API calls 52691->52712 52713 47399a _strlen 52692->52713 52714 40181f 2 API calls 52693->52714 52715 473692 _strlen 52694->52715 52716 473520 _strlen 52695->52716 52696->52663 52717 47385b _strlen 52697->52717 52698->52663 52699->52663 52705 40181f 2 API calls 52700->52705 52718 473400 _strlen 52701->52718 52701->52738 52702->52738 52703->52663 52720 4735b4 _strlen 52704->52720 52721 473452 _strlen 52705->52721 52722 473775 _strlen 52706->52722 52723 40181f 2 API calls 52707->52723 52724 40181f 2 API calls 52708->52724 52725 473954 _strlen 52709->52725 52726 40181f 2 API calls 52710->52726 52727 473654 _strlen 52711->52727 52728 4734e2 _strlen 52712->52728 52713->52663 52729 47381d _strlen 52714->52729 52715->52663 52716->52663 52717->52663 52719 40181f 2 API calls 52718->52719 52730 473414 _strlen 52719->52730 52731 40181f 2 API calls 52720->52731 52732 40181f 2 API calls 52721->52732 52733 40181f 2 API calls 52722->52733 52734 47360e _strlen 52723->52734 52735 4734a4 _strlen 52724->52735 52725->52663 52736 4737d7 _strlen 52726->52736 52727->52663 52728->52663 52729->52663 52737 40181f 2 API calls 52730->52737 52739 4735c8 _strlen 52731->52739 52740 473466 _strlen 52732->52740 52741 473789 _strlen 52733->52741 52734->52663 52735->52663 52736->52663 52742 473428 _strlen 52737->52742 52743 445632 11 API calls 52738->52743 52739->52663 52740->52663 52741->52663 52742->52663 52744 473a89 52743->52744 52745 473af8 GetVersionExA 52744->52745 52746 401bab 4 API calls 52744->52746 52749 473b17 52745->52749 52814 473e75 Mailbox 52745->52814 52747 473aa0 52746->52747 52748 445f5e 15 API calls 52747->52748 52751 473ab8 Mailbox 52748->52751 52750 473b4b 52749->52750 52778 473ce0 52749->52778 52749->52814 52752 473b51 52750->52752 52753 473cae _strlen 52750->52753 52751->52745 52762 473ae6 52751->52762 52757 473bfb 52752->52757 52758 473b5a 52752->52758 52754 40181f 2 API calls 52753->52754 52760 473cc2 _strlen 52754->52760 52755 444abd Mailbox 2 API calls 52761 473efa 52755->52761 52756 473da7 _strlen 52759 40181f 2 API calls 52756->52759 52773 473c11 52757->52773 52774 473c7c _strlen 52757->52774 52787 473bf6 52757->52787 52763 473bb5 _strlen 52758->52763 52764 473b5c 52758->52764 52765 473dc0 _strlen 52759->52765 52766 40181f 2 API calls 52760->52766 52761->52602 52762->52745 52767 40181f 2 API calls 52763->52767 52764->52787 52793 473b86 _strlen 52764->52793 52769 40181f 2 API calls 52765->52769 52770 473bae _strlen 52766->52770 52771 473bc9 _strlen 52767->52771 52768 473d75 _strlen 52775 40181f 2 API calls 52768->52775 52769->52787 52785 40181f 2 API calls 52770->52785 52777 40181f 2 API calls 52771->52777 52772 473d43 _strlen 52781 40181f 2 API calls 52772->52781 52779 473c14 52773->52779 52780 473c4a _strlen 52773->52780 52783 40181f 2 API calls 52774->52783 52782 473d89 _strlen 52775->52782 52777->52770 52778->52756 52778->52768 52778->52772 52786 473d11 _strlen 52778->52786 52778->52787 52779->52787 52788 473c1b _strlen 52779->52788 52790 40181f 2 API calls 52780->52790 52789 473d57 _strlen 52781->52789 52791 40181f 2 API calls 52782->52791 52784 473c90 _strlen 52783->52784 52792 40181f 2 API calls 52784->52792 52785->52787 52794 40181f 2 API calls 52786->52794 52801 445632 11 API calls 52787->52801 52795 40181f 2 API calls 52788->52795 52796 40181f 2 API calls 52789->52796 52797 473c5e _strlen 52790->52797 52798 473d9d 52791->52798 52792->52770 52799 40181f 2 API calls 52793->52799 52800 473d25 _strlen 52794->52800 52802 473c2f _strlen 52795->52802 52803 473d6b 52796->52803 52804 40181f 2 API calls 52797->52804 52798->52756 52805 473b9a _strlen 52799->52805 52806 40181f 2 API calls 52800->52806 52807 473e47 52801->52807 52808 40181f 2 API calls 52802->52808 52803->52768 52804->52770 52809 40181f 2 API calls 52805->52809 52810 473d39 52806->52810 52811 401bab 4 API calls 52807->52811 52807->52814 52808->52770 52809->52770 52810->52772 52812 473e5e 52811->52812 52813 445f5e 15 API calls 52812->52813 52813->52814 52814->52755 52816 4523a6 52815->52816 52817 4523ae SHGetSpecialFolderLocation 52816->52817 52818 452445 52817->52818 52819 4523d0 SHGetPathFromIDList 52817->52819 52818->52605 52819->52818 52820 4523e7 SHGetMalloc 52819->52820 52821 452406 lstrlen 52820->52821 52823 452433 52821->52823 52824 45242a lstrlen 52821->52824 52825 4019b2 3 API calls 52823->52825 52824->52823 52825->52818 52826 496a03 52829 48a9ff 52826->52829 52828 496a10 52830 48aa14 52829->52830 52831 48c40e 27 API calls 52830->52831 52832 48aa49 52831->52832 52832->52828 52833 420009 52834 420017 IsWindow 52833->52834 52838 420031 52833->52838 52835 420024 52834->52835 52834->52838 52836 4b894d Mailbox ShowWindow 52835->52836 52836->52838 52837 42008b 52838->52837 52839 420084 52838->52839 52841 41e503 54 API calls Mailbox 52839->52841 52841->52837 52842 40100b CreateFileA 52843 401045 52842->52843 52844 401049 GetLastError 52842->52844 52845 4cb483 52846 4b894d Mailbox ShowWindow 52845->52846 52847 4cb494 ShowOwnedPopups 52846->52847 52848 4b8b6d SetWindowPos 52847->52848 52849 4cb4b4 52848->52849 52850 442294 52851 4422ca 52850->52851 52854 4422a9 52850->52854 52859 4b5ee2 52851->52859 52853 4422c8 52854->52853 52862 40a8e1 17 API calls 52854->52862 52856 4422d0 52856->52853 52863 40a8e1 17 API calls 52856->52863 52864 4aaae6 __FF_MSGBANNER __NMSG_WRITE RtlAllocateHeap ___crtCorExitProcess ExitProcess 52856->52864 52865 43911d 52859->52865 52861 4b5ef4 52861->52856 52862->52854 52863->52856 52864->52856 52866 439133 52865->52866 52867 439129 52865->52867 52869 43914d 52866->52869 52870 4b5ad8 17 API calls 52866->52870 52871 4b61e9 11 API calls Mailbox 52867->52871 52869->52861 52870->52869 52871->52866 52872 41e095 __EH_prolog3 52877 4ca253 __EH_prolog3 52872->52877 52874 41e0ad 52885 4060c0 __EH_prolog3 52874->52885 52878 4ca269 52877->52878 52879 4ca279 __strdup 52878->52879 52880 4ca287 52878->52880 52879->52880 52881 4c3262 Mailbox 17 API calls 52880->52881 52882 4ca28f 52881->52882 52883 4ca2a6 GetCurrentThread GetCurrentThreadId 52882->52883 52884 4ca34a 52883->52884 52884->52874 52902 41c803 __EH_prolog3 52885->52902 52887 4060df 52888 401bab 4 API calls 52887->52888 52889 4061f1 52888->52889 52906 440899 __EH_prolog3 52889->52906 52903 41c81f 52902->52903 52922 41c2d2 __EH_prolog3 52903->52922 52905 41c858 52905->52887 52907 4408b5 52906->52907 52926 410a95 __EH_prolog3 52907->52926 52923 41c2e8 52922->52923 52924 41624f 8 API calls 52923->52924 52925 41c31b 52924->52925 52925->52905 52927 410ab1 52926->52927 52967 410963 52927->52967 52968 4019b2 3 API calls 52967->52968 52969 410998 52968->52969 52970 4019b2 3 API calls 52969->52970 52971 4109a8 52970->52971 52972 4019b2 3 API calls 52971->52972 52973 4109b9 52972->52973 52974 4019b2 3 API calls 52973->52974 52975 4109db 52974->52975 52976 4019b2 3 API calls 52975->52976 52977 4109f9 52976->52977 52978 4019b2 3 API calls 52977->52978 52979 410a1b 52978->52979 53006 440f9b __EH_prolog3 53020 4b6c0f 53006->53020 53008 440fae 53032 4b876e 53008->53032 53010 440fc0 53011 401bab 4 API calls 53010->53011 53012 440fe3 53011->53012 53013 43c227 9 API calls 53012->53013 53014 440ff8 Mailbox 53013->53014 53015 441037 53014->53015 53016 441021 _strlen 53014->53016 53018 4b8882 2 API calls 53015->53018 53017 40181f 2 API calls 53016->53017 53017->53015 53019 441042 Mailbox 53018->53019 53021 4b6c1e 53020->53021 53022 4b6c34 53021->53022 53035 4bb6fd __EH_prolog3_catch 53021->53035 53039 4b6806 EndDialog 53022->53039 53025 4b6c3b 53025->53008 53026 4b6c46 53026->53022 53027 4b6c4c 53026->53027 53040 4b871b 53027->53040 53029 4b6c70 53029->53008 53030 4b6c56 53030->53029 53031 4b894d Mailbox ShowWindow 53030->53031 53031->53029 53033 4b8779 SetDlgItemTextA 53032->53033 53034 4b878c 53032->53034 53033->53010 53036 4bb71e 53035->53036 53044 4b02cd 53036->53044 53037 4bb747 53037->53026 53039->53025 53041 4b873c 53040->53041 53042 4b8726 GetDlgItem 53040->53042 53043 4b8738 53042->53043 53043->53030 53049 4c05d4 53044->53049 53046 4b02e9 53057 4c0694 53046->53057 53048 4b02f9 53048->53037 53050 4c05e7 53049->53050 53054 4c062c 53049->53054 53050->53054 53066 4c0353 53050->53066 53052 4c0605 53069 4b8745 53052->53069 53054->53046 53055 4c0614 53055->53054 53056 4c0672 GetParent 53055->53056 53056->53054 53058 4c0353 GetDlgItem 53057->53058 53059 4c06a8 53058->53059 53060 4c06de 53059->53060 53061 4c06b6 GetWindowTextLengthA 53059->53061 53072 4d496a 53060->53072 53079 444b03 53061->53079 53064 4c06ca GetWindowTextA 53065 4c06dc 53064->53065 53065->53048 53067 4b8745 GetDlgItem 53066->53067 53068 4c036c 53067->53068 53068->53052 53070 4b8750 GetDlgItem 53069->53070 53071 4b8765 53069->53071 53070->53055 53073 4d498c 53072->53073 53074 4d4995 lstrlen _memset 53073->53074 53075 4d49e9 SetWindowTextA 53074->53075 53076 4d49c4 GetWindowTextA 53074->53076 53078 4d49f1 53075->53078 53076->53075 53077 4d49d7 lstrcmp 53076->53077 53077->53075 53077->53078 53078->53065 53079->53064 53080 40f9a0 53083 40f8a9 __EH_prolog3 53080->53083 53082 40f9ab 53084 40f8d3 53083->53084 53085 40f8dd 53083->53085 53084->53085 53087 4b7f10 Mailbox DeleteObject 53084->53087 53086 40f8f1 53085->53086 53091 4b7f10 Mailbox DeleteObject 53085->53091 53088 40f907 53086->53088 53092 4b7f10 Mailbox DeleteObject 53086->53092 53087->53085 53089 40f911 DeleteObject 53088->53089 53090 40f918 53088->53090 53089->53090 53093 4025a1 Mailbox 2 API calls 53090->53093 53091->53086 53092->53088 53094 40f939 53093->53094 53095 4025a1 Mailbox 2 API calls 53094->53095 53096 40f94a 53095->53096 53097 4025a1 Mailbox 2 API calls 53096->53097 53098 40f95b 53097->53098 53101 4c65e6 18 API calls Mailbox 53098->53101 53100 40f975 53100->53082 53101->53100 53102 5d78bb 53103 5d790b 53102->53103 53104 5d78c6 CreateEventA CreateEventA RtlInitializeCriticalSection 53102->53104 53106 5d77a8 __EH_prolog3 53104->53106 53107 5d78b3 53106->53107 53112 5d77c1 53106->53112 53107->53103 53108 5d78ac 53113 5d70bd 53108->53113 53110 5d7853 CreateEventA 53111 4b3c8a Mailbox 5 API calls 53110->53111 53111->53112 53112->53107 53112->53108 53112->53110 53114 5d70fe 53113->53114 53115 5d70d2 53113->53115 53114->53107 53115->53114 53116 5d70d6 ResumeThread 53115->53116 53116->53115 53117 43fb28 LoadLibraryA 53118 42dbae 53132 42dce7 Mailbox 53118->53132 53119 42f208 53120 42f215 DeleteFileA 53119->53120 53121 42f21e 53119->53121 53120->53121 53193 42019e 36 API calls Mailbox 53121->53193 53123 42f342 53125 42f34c __EH_prolog3_GS 53123->53125 53124 42de0b _strlen 53124->53132 53126 42f377 53125->53126 53127 42f2a2 Mailbox 53128 42ab68 106 API calls 53128->53132 53129 427ab9 43 API calls 53129->53132 53130 43a00f _vwprintf _vswprintf_s __EH_prolog3 53130->53132 53131 405b1f 3 API calls 53131->53132 53132->53119 53132->53121 53132->53123 53132->53124 53132->53128 53132->53129 53132->53130 53132->53131 53133 42e76a SetFileAttributesA CopyFileA 53132->53133 53134 404ef6 102 API calls 53132->53134 53135 40c75b _memcpy_s _memcpy_s __EH_prolog3 _strlen 53132->53135 53137 44a8a2 27 API calls 53132->53137 53139 42e1c6 DeleteFileA 53132->53139 53140 42e1bb Mailbox 53132->53140 53142 42ea31 SetFileAttributesA 53132->53142 53143 42e99e __time64 53132->53143 53146 42e9ca __time64 53132->53146 53147 403f67 24 API calls 53132->53147 53148 42e9f6 __time64 53132->53148 53151 4cc8af 34 API calls 53132->53151 53155 43c227 9 API calls 53132->53155 53157 40379a 2 API calls 53132->53157 53158 40258d _vwprintf _vswprintf_s 53132->53158 53166 43c227 9 API calls 53132->53166 53167 401bab _memmove_s _memcpy_s _strlen __EH_prolog3 53132->53167 53170 40c578 4 API calls 53132->53170 53175 43c227 9 API calls 53132->53175 53185 43c227 9 API calls 53132->53185 53190 4267ad 56 API calls Mailbox 53132->53190 53191 4245b0 22 API calls Mailbox 53132->53191 53192 420480 59 API calls Mailbox 53132->53192 53136 42e792 MoveFileExA 53133->53136 53133->53140 53134->53132 53135->53132 53136->53140 53137->53132 53138 40c75b _memcpy_s _memcpy_s __EH_prolog3 _strlen 53138->53140 53141 401bab 4 API calls 53139->53141 53140->53132 53140->53138 53140->53139 53150 42e942 DeleteFileA 53140->53150 53152 40c544 2 API calls 53140->53152 53153 43a00f _vwprintf _vswprintf_s __EH_prolog3 53140->53153 53159 42e82a WritePrivateProfileStringA 53140->53159 53178 43c227 9 API calls 53140->53178 53179 401bab _memmove_s _memcpy_s _strlen __EH_prolog3 53140->53179 53180 403f67 24 API calls 53140->53180 53181 43c227 9 API calls 53140->53181 53183 40379a SetFilePointer GetLastError 53140->53183 53184 404ef6 102 API calls 53140->53184 53187 40258d 2 API calls 53140->53187 53188 43c227 9 API calls 53140->53188 53162 42e1e2 Mailbox 53141->53162 53142->53140 53143->53132 53144 401bab 4 API calls 53144->53162 53146->53132 53147->53132 53148->53132 53149 43c227 9 API calls 53149->53162 53150->53140 53151->53132 53152->53140 53153->53140 53155->53132 53156 40258d 2 API calls 53156->53162 53157->53132 53158->53132 53159->53140 53160 42e404 _strlen 53163 40181f 2 API calls 53160->53163 53161 42e3a0 _strlen 53164 40181f 2 API calls 53161->53164 53162->53144 53162->53149 53162->53156 53162->53160 53162->53161 53165 42e339 _strlen 53162->53165 53168 42e2d2 _strlen 53162->53168 53169 42e26b _strlen 53162->53169 53163->53140 53164->53140 53171 40181f 2 API calls 53165->53171 53172 42eed9 MessageBoxA 53166->53172 53167->53132 53174 40181f 2 API calls 53168->53174 53173 40181f 2 API calls 53169->53173 53170->53132 53171->53140 53172->53132 53173->53140 53174->53140 53177 42e07f MessageBoxA 53175->53177 53177->53132 53178->53140 53179->53140 53180->53140 53182 42e4ce MessageBoxA 53181->53182 53182->53140 53183->53140 53184->53140 53186 42ec87 MessageBoxA 53185->53186 53186->53132 53187->53140 53189 42e64d MessageBoxA 53188->53189 53189->53140 53190->53132 53191->53132 53192->53132 53193->53127 53194 44c7b4 53195 44c7f3 53194->53195 53201 44c7c9 53194->53201 53196 4019d8 20 API calls 53195->53196 53197 44c807 53196->53197 53198 4019d8 20 API calls 53197->53198 53199 44c812 53198->53199 53200 4019d8 20 API calls 53199->53200 53200->53201 53202 4392b1 __EH_prolog3 53203 4392d1 53202->53203 53204 4395ff 53202->53204 53368 410559 11 API calls 53203->53368 53205 410592 17 API calls 53204->53205 53207 439613 53205->53207 53208 4019d8 20 API calls 53207->53208 53209 43961e 53208->53209 53210 4019d8 20 API calls 53209->53210 53211 439629 53210->53211 53212 4019d8 20 API calls 53211->53212 53213 439634 53212->53213 53214 4019d8 20 API calls 53213->53214 53215 43963f 53214->53215 53216 4019d8 20 API calls 53215->53216 53217 43964a 53216->53217 53218 4019d8 20 API calls 53217->53218 53220 439655 53218->53220 53219 4392e4 53369 410559 11 API calls 53219->53369 53222 410592 17 API calls 53220->53222 53224 439660 53222->53224 53223 439332 53370 410559 11 API calls 53223->53370 53225 410592 17 API calls 53224->53225 53228 43966b 53225->53228 53227 43933e 53371 438b19 11 API calls 53227->53371 53400 438b5b 17 API calls 53228->53400 53231 43934b 53372 410559 11 API calls 53231->53372 53232 439676 53234 410592 17 API calls 53232->53234 53236 439681 53234->53236 53235 439357 53373 4c2955 11 API calls 53235->53373 53401 4c297f 17 API calls 53236->53401 53239 439363 53374 4c2955 11 API calls 53239->53374 53240 43968b 53402 4c297f 17 API calls 53240->53402 53243 43936f 53375 4c2955 11 API calls 53243->53375 53244 439695 53403 4c297f 17 API calls 53244->53403 53247 43937b 53376 410559 11 API calls 53247->53376 53248 43969f 53250 410592 17 API calls 53248->53250 53252 4396aa 53250->53252 53251 439387 53377 410559 11 API calls 53251->53377 53253 4019d8 20 API calls 53252->53253 53254 4396f7 53253->53254 53256 410592 17 API calls 53254->53256 53258 439702 53256->53258 53257 4393da 53378 410559 11 API calls 53257->53378 53260 410592 17 API calls 53258->53260 53261 4393e6 53379 410559 11 API calls 53261->53379 53265 4393f2 53380 410559 11 API calls 53265->53380 53269 4393fe 53381 410559 11 API calls 53269->53381 53273 43940a 53382 410559 11 API calls 53273->53382 53277 439416 53383 410559 11 API calls 53277->53383 53281 439422 53384 410559 11 API calls 53281->53384 53285 43942e 53385 410559 11 API calls 53285->53385 53368->53219 53369->53223 53370->53227 53371->53231 53372->53235 53373->53239 53374->53243 53375->53247 53376->53251 53377->53257 53378->53261 53379->53265 53380->53269 53381->53273 53382->53277 53383->53281 53384->53285 53400->53232 53401->53240 53402->53244 53403->53248 53411 427eb5 __EH_prolog3_GS 53412 427ece 53411->53412 53413 401bab 4 API calls 53412->53413 53414 427efc 53413->53414 53415 43c227 9 API calls 53414->53415 53416 427f11 Mailbox 53415->53416 53417 427f2d _strlen 53416->53417 53419 427f43 53417->53419 53418 428689 Mailbox 53420 428813 GetSystemMetrics 53418->53420 53421 4286c5 _memset GlobalMemoryStatusEx 53418->53421 53419->53418 53422 401bab 4 API calls 53419->53422 53424 4288f0 GetSystemMetrics 53420->53424 53430 428831 53420->53430 53434 4286f3 53421->53434 53423 427fbc 53422->53423 53425 43c227 9 API calls 53423->53425 53431 42890a 53424->53431 53496 4289bb Mailbox 53424->53496 53426 427fd1 53425->53426 53651 418503 5 API calls Mailbox 53426->53651 53427 4289d3 GetDesktopWindow 53429 4bbea4 53427->53429 53433 4289e1 GetDC 53429->53433 53436 401bab 4 API calls 53430->53436 53437 401bab 4 API calls 53431->53437 53432 427fe2 Mailbox 53441 401bab 4 API calls 53432->53441 53435 4b7bce 53433->53435 53434->53420 53446 401bab 4 API calls 53434->53446 53438 4289f0 GetDeviceCaps GetDesktopWindow 53435->53438 53439 42885e 53436->53439 53440 428937 53437->53440 53442 4bbea4 53438->53442 53443 43c227 9 API calls 53439->53443 53444 43c227 9 API calls 53440->53444 53445 428001 53441->53445 53447 428a09 ReleaseDC 53442->53447 53448 428873 53443->53448 53450 42894c 53444->53450 53451 43c227 9 API calls 53445->53451 53452 42873b 53446->53452 53460 428a2c 53447->53460 53536 428b15 Mailbox 53447->53536 53449 40258d 2 API calls 53448->53449 53477 428883 Mailbox 53449->53477 53454 40258d 2 API calls 53450->53454 53455 428016 53451->53455 53453 43c227 9 API calls 53452->53453 53457 428750 53453->53457 53468 42895c Mailbox 53454->53468 53652 418503 5 API calls Mailbox 53455->53652 53456 458fc6 25 API calls 53479 428b29 53456->53479 53459 401bab 4 API calls 53457->53459 53462 428771 53459->53462 53467 401bab 4 API calls 53460->53467 53461 428028 Mailbox 53472 401bab 4 API calls 53461->53472 53466 43c227 9 API calls 53462->53466 53463 428c38 53471 40c75b 4 API calls 53463->53471 53464 428d7c 53465 43a00f 3 API calls 53464->53465 53560 428d77 Mailbox 53465->53560 53469 428786 53466->53469 53470 428a4e 53467->53470 53485 4289a0 _strlen 53468->53485 53475 40258d 2 API calls 53469->53475 53476 43c227 9 API calls 53470->53476 53473 428c5e 53471->53473 53474 428047 53472->53474 53486 43a00f 3 API calls 53473->53486 53478 43c227 9 API calls 53474->53478 53507 42879a Mailbox 53475->53507 53480 428a63 53476->53480 53484 4288c7 _strlen 53477->53484 53481 42805c 53478->53481 53482 401bab 4 API calls 53479->53482 53542 428c20 Mailbox 53479->53542 53483 401bab 4 API calls 53480->53483 53653 418503 5 API calls Mailbox 53481->53653 53488 428b64 53482->53488 53489 428a84 53483->53489 53490 40181f 2 API calls 53484->53490 53491 40181f 2 API calls 53485->53491 53508 428c92 Mailbox 53486->53508 53493 43c227 9 API calls 53488->53493 53494 43c227 9 API calls 53489->53494 53495 4288e1 Mailbox 53490->53495 53491->53496 53492 42806e Mailbox 53501 401bab 4 API calls 53492->53501 53497 428b79 53493->53497 53498 428a99 53494->53498 53495->53424 53496->53427 53499 401bab 4 API calls 53497->53499 53500 40258d 2 API calls 53498->53500 53502 428b8f 53499->53502 53527 428aad Mailbox 53500->53527 53503 42808d 53501->53503 53504 43c227 9 API calls 53502->53504 53505 43c227 9 API calls 53503->53505 53506 428ba4 53504->53506 53509 4280a2 53505->53509 53510 40258d 2 API calls 53506->53510 53511 4287e9 _strlen 53507->53511 53514 428cd1 53508->53514 53515 428d9a 53508->53515 53508->53560 53654 418503 5 API calls Mailbox 53509->53654 53538 428bb8 Mailbox 53510->53538 53513 40181f 2 API calls 53511->53513 53517 428802 Mailbox 53513->53517 53519 401bab 4 API calls 53514->53519 53518 401bab 4 API calls 53515->53518 53516 4280b4 Mailbox 53524 401bab 4 API calls 53516->53524 53517->53420 53520 428da4 53518->53520 53521 428cdb 53519->53521 53522 43c227 9 API calls 53520->53522 53523 43c227 9 API calls 53521->53523 53528 428db9 53522->53528 53525 428cf0 53523->53525 53526 4280d3 53524->53526 53529 40c75b 4 API calls 53525->53529 53530 43c227 9 API calls 53526->53530 53531 428afc _strlen 53527->53531 53532 40c75b 4 API calls 53528->53532 53544 428cff Mailbox 53529->53544 53533 4280e8 53530->53533 53534 40181f 2 API calls 53531->53534 53543 428dc8 Mailbox 53532->53543 53655 418503 5 API calls Mailbox 53533->53655 53534->53536 53536->53456 53537 4280fa Mailbox 53539 428c07 _strlen 53538->53539 53540 40181f 2 API calls 53539->53540 53540->53542 53542->53463 53542->53464 53546 401bab 4 API calls 53543->53546 53547 401bab 4 API calls 53544->53547 53549 428e09 53546->53549 53550 428d40 53547->53550 53552 43c227 9 API calls 53549->53552 53553 43c227 9 API calls 53550->53553 53651->53432 53652->53461 53653->53492 53654->53516 53655->53537 53670 4b0433 53671 4b6c0f 13 API calls 53670->53671 53672 4b044d GetClientRect GetWindowRect 53671->53672 53673 4b0485 53672->53673 53674 4b871b GetDlgItem 53673->53674 53675 4b048e GetWindowRect 53674->53675 53676 4b04a2 53675->53676 53677 4c3262 Mailbox 17 API calls 53676->53677 53678 4b04b6 LoadIconA SendMessageA 53677->53678 53679 4b04e5 53678->53679 53680 4050b9 53681 4050ce 53680->53681 53682 4050fc 53680->53682 53683 4019d8 20 API calls 53682->53683 53684 40511b 53683->53684 53685 4019d8 20 API calls 53684->53685 53685->53681 53686 4baeb1 53687 4baebd 53686->53687 53688 4c3262 Mailbox 17 API calls 53687->53688 53689 4baecb ActivateActCtx 53688->53689 53690 4baee2 LoadLibraryW 53689->53690 53691 4baede 53689->53691 53690->53691 53692 49a634 53693 48c40e 27 API calls 53692->53693 53694 49a644 53693->53694 53695 49a64f 53694->53695 53696 4019d8 20 API calls 53694->53696 53696->53695 53697 44413a 53698 444165 53697->53698 53699 444147 53697->53699 53699->53698 53700 444150 FreeLibrary 53699->53700 53700->53698

                                                                                                                              Executed Functions

                                                                                                                              Function 0044416C Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 100libraryloaderCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 3198 44416c-444179 3199 444183-44418b 3198->3199 3200 44417b-44417e 3198->3200 3202 44418d-44419f LoadLibraryA 3199->3202 3203 44420b-444222 GetModuleHandleA 3199->3203 3201 4442bd-4442bf 3200->3201 3206 4441a5-4441e2 GetProcAddress * 3 3202->3206 3207 4442b9 3202->3207 3204 444224-44422f LoadLibraryA 3203->3204 3205 444238-444285 GetProcAddress * 5 3203->3205 3204->3207 3208 444235 3204->3208 3209 444287-44428d 3205->3209 3210 4442ad-4442b0 3205->3210 3212 4441f4-444206 FreeLibrary 3206->3212 3213 4441e4-4441ea 3206->3213 3211 4442bb-4442bc 3207->3211 3208->3205 3209->3210 3214 44428f-444295 3209->3214 3210->3207 3215 4442b2-4442b3 FreeLibrary 3210->3215 3211->3201 3212->3207 3213->3212 3216 4441ec-4441ee 3213->3216 3214->3210 3217 444297-44429d 3214->3217 3215->3207 3216->3212 3218 4442a3-4442ab 3216->3218 3217->3210 3219 44429f-4442a1 3217->3219 3218->3211 3219->3210 3219->3218
                                                                                                                              APIs
                                                                                                                              • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00444192
                                                                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004441B1
                                                                                                                              • GetProcAddress.KERNEL32(EnumProcessModules), ref: 004441C3
                                                                                                                              • GetProcAddress.KERNEL32(GetModuleFileNameExA), ref: 004441D5
                                                                                                                              • FreeLibrary.KERNEL32 ref: 004441FA
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressProc$Library$FreeLoad
                                                                                                                              • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleFileNameExA$KERNEL32.DLL$Module32First$Module32Next$PSAPI.DLL$Process32First$Process32Next
                                                                                                                              • API String ID: 2449869053-2136592061
                                                                                                                              • Opcode ID: de6bc20ce13dd26b1a37fd1544623143aa8ab3c7a79226b8d9d0c61516e5153c
                                                                                                                              • Instruction ID: 16f59a1005e3f932de00098af5eb0272050f104e5185e9194a7d997368246a6a
                                                                                                                              • Opcode Fuzzy Hash: de6bc20ce13dd26b1a37fd1544623143aa8ab3c7a79226b8d9d0c61516e5153c
                                                                                                                              • Instruction Fuzzy Hash: D7316E7A910260ABFB10AFB1AC8951A3EEAF7877A1305847BE50593220D7FD4840DF5D
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00458FC6 Relevance: 25.7, APIs: 17, Instructions: 156threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 3405 458fc6-458ffb GetVersionExA 3406 459005-45900c 3405->3406 3407 458ffd-459000 3405->3407 3406->3407 3409 45900e-459015 3406->3409 3408 4591bd-4591c9 call 5b518f 3407->3408 3411 459017 3409->3411 3412 459021-459063 GetCurrentThread OpenThreadToken 3409->3412 3411->3412 3414 459065-45906c GetLastError 3412->3414 3415 45908f-4590a0 call 5b4b83 3412->3415 3417 45906e-459086 GetCurrentProcess OpenProcessToken 3414->3417 3418 459088-45908a 3414->3418 3421 4591b5 3415->3421 3422 4590a6-4590ce GetTokenInformation GetLastError 3415->3422 3417->3415 3417->3418 3420 4591bc 3418->3420 3420->3408 3425 4591bb 3421->3425 3423 4590d0-4590d3 3422->3423 3424 459109-45911d CloseHandle 3422->3424 3423->3424 3426 4590d5-4590e5 call 5bb01c 3423->3426 3427 459143-459149 call 5b4c17 3424->3427 3428 45911f-459141 AllocateAndInitializeSid 3424->3428 3425->3420 3437 4590e7-459107 GetTokenInformation GetLastError 3426->3437 3438 45914a-45914c 3426->3438 3427->3438 3428->3427 3430 45914e-459156 3428->3430 3434 459187-4591a0 FreeSid call 5b4c17 3430->3434 3435 459158-45915a 3430->3435 3434->3421 3444 4591a2-4591a8 3434->3444 3435->3434 3436 45915c 3435->3436 3440 45915f-45916f EqualSid 3436->3440 3437->3424 3438->3425 3442 459171-459177 3440->3442 3443 45917b 3440->3443 3442->3440 3445 459179 3442->3445 3446 459185 3443->3446 3444->3421 3447 4591aa call 458f0c 3444->3447 3445->3446 3446->3434 3449 4591af 3447->3449 3449->3421
                                                                                                                              APIs
                                                                                                                              • GetVersionExA.KERNEL32(?,00000000), ref: 00458FF3
                                                                                                                              • GetCurrentThread.KERNEL32 ref: 0045904E
                                                                                                                              • OpenThreadToken.ADVAPI32(00000000), ref: 00459055
                                                                                                                              • GetLastError.KERNEL32 ref: 00459065
                                                                                                                              • GetCurrentProcess.KERNEL32(00000008,?), ref: 00459077
                                                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 0045907E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CurrentOpenProcessThreadToken$ErrorLastVersion
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1157636217-0
                                                                                                                              • Opcode ID: 2c0d7614f97d7bbbf8b7e768c7ca6c654a8f7c70b9d3473640f55911c4aad1f1
                                                                                                                              • Instruction ID: 28f345c65202ad85ea081bbbffd35357cc0aecedf770b5ae172ec68553497311
                                                                                                                              • Opcode Fuzzy Hash: 2c0d7614f97d7bbbf8b7e768c7ca6c654a8f7c70b9d3473640f55911c4aad1f1
                                                                                                                              • Instruction Fuzzy Hash: 4D518271A10329EFEF209F60CC48BAF77BAEF45701F144097E949A6142DB745E888F56
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004359A7 Relevance: 23.2, APIs: 5, Strings: 8, Instructions: 426windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 004359B1
                                                                                                                              • GetLogicalDriveStringsA.KERNEL32(00000400,?), ref: 00435A30
                                                                                                                              • MessageBoxA.USER32(?,00000000), ref: 00435BEA
                                                                                                                              • GetDriveTypeA.KERNEL32(00000000), ref: 00435C42
                                                                                                                              • MessageBoxA.USER32(?,?,00000000,?), ref: 00435EE4
                                                                                                                                • Part of subcall function 0043A00F: __EH_prolog3.LIBCMT ref: 0043A016
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DriveMessage$H_prolog3H_prolog3_LogicalStringsType
                                                                                                                              • String ID: %s:%s%s %s%s %s$:$ERR_DRIVE_NOTENOUGHSPACE$ERR_DRIVE_NOTEXIST$Free space check on drive: $MSG_AVAILABLE_DRIVE$MSG_ERROR$MSG_REQUIRED_DRIVE
                                                                                                                              • API String ID: 1866183364-2056702564
                                                                                                                              • Opcode ID: 148437870819e588428fd45cafacc5f6775580e0fc557f3f52eff7a95da50807
                                                                                                                              • Instruction ID: 917801a5341abf3f24af672a2e2339547ac124f9b2bc70237aa367d561b7d71f
                                                                                                                              • Opcode Fuzzy Hash: 148437870819e588428fd45cafacc5f6775580e0fc557f3f52eff7a95da50807
                                                                                                                              • Instruction Fuzzy Hash: 960280B19001189BCB24EBA4CD51BED7779AF55318F4041EEF209A72D2DB385A84CF6D
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004C2293 Relevance: 15.1, APIs: 10, Instructions: 131filestringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 004C229D
                                                                                                                              • GetFullPathNameA.KERNEL32(00000000,00000104,?,?,00000158,004C2516,?,00000000,?,?,00008DD8,00000000), ref: 004C22DB
                                                                                                                              • __cftof.LIBCMT ref: 004C22EF
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              • PathIsUNCA.SHLWAPI(?,?,?,00000000,?,00008DD8,00000000), ref: 004C2357
                                                                                                                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,00008DD8,00000000), ref: 004C237E
                                                                                                                              • CharUpperA.USER32(?), ref: 004C23B1
                                                                                                                              • FindFirstFileA.KERNEL32(?,?), ref: 004C23CD
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 004C23D9
                                                                                                                              • lstrlen.KERNEL32(00000000), ref: 004C23F7
                                                                                                                              • _strcpy_s.LIBCMT ref: 004C241B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolume__cftof_strcpy_slstrlen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1696414672-0
                                                                                                                              • Opcode ID: 7934e5c1a1a8fe40e26f0004d8797a068d9f9dfade76b9f029e4047937372db0
                                                                                                                              • Instruction ID: d28ed3da59c2e841b17ce778635d605d1f5dafbb7deae3fa1d248f3b5fe50481
                                                                                                                              • Opcode Fuzzy Hash: 7934e5c1a1a8fe40e26f0004d8797a068d9f9dfade76b9f029e4047937372db0
                                                                                                                              • Instruction Fuzzy Hash: A041C375800659DBDF65AFA0CD48FFF7738AF50315F00019EB809A52A1DBB89E84CE68
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044A753 Relevance: 12.1, APIs: 8, Instructions: 85filestringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0044A75D
                                                                                                                              • GetFullPathNameA.KERNEL32(?,00000104,?,?,00000158,0044A8C1,?,?,0000014C,0042ACB8,?,?,006985B8,00000000,00000000,00000000), ref: 0044A77D
                                                                                                                              • lstrcpyn.KERNEL32(?,?,00000104,?,000000A8,?,00000020,0042D4B5,00000000,?,00000000,00000000,?,?,00000004,00000000), ref: 0044A78A
                                                                                                                              • _strlen.LIBCMT ref: 0044A7CF
                                                                                                                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,00698DAC,00000000,00000000,?,000000A8,?,00000020,0042D4B5), ref: 0044A7FC
                                                                                                                              • CharUpperA.USER32(?), ref: 0044A81C
                                                                                                                              • FindFirstFileA.KERNEL32(?,?), ref: 0044A838
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0044A844
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Find$CharCloseFileFirstFullH_prolog3_InformationNamePathUpperVolume_strlenlstrcpyn
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1402569657-0
                                                                                                                              • Opcode ID: 4792e090452097429a4122506f4b797b77648ced3a3e471d60e5698ff8b801c6
                                                                                                                              • Instruction ID: 8dbaea6bf57266fc7c01749efa83c41ddafa5eedf3300377e1474c0166a389cb
                                                                                                                              • Opcode Fuzzy Hash: 4792e090452097429a4122506f4b797b77648ced3a3e471d60e5698ff8b801c6
                                                                                                                              • Instruction Fuzzy Hash: 7A219571804558ABEB21AF61CC89EEF7B7CEFC5315F0004AAF409A6151DA385E85CF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044A8A2 Relevance: 7.6, APIs: 5, Instructions: 117fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0044A8AC
                                                                                                                                • Part of subcall function 0044A753: __EH_prolog3_GS.LIBCMT ref: 0044A75D
                                                                                                                                • Part of subcall function 0044A753: GetFullPathNameA.KERNEL32(?,00000104,?,?,00000158,0044A8C1,?,?,0000014C,0042ACB8,?,?,006985B8,00000000,00000000,00000000), ref: 0044A77D
                                                                                                                                • Part of subcall function 0044A753: lstrcpyn.KERNEL32(?,?,00000104,?,000000A8,?,00000020,0042D4B5,00000000,?,00000000,00000000,?,?,00000004,00000000), ref: 0044A78A
                                                                                                                              • GetFileAttributesA.KERNEL32(?,0000014C,0042ACB8,?,?,006985B8,00000000,00000000,00000000,000003CC,?,000000A8,?,00000020,0042D4B5,00000000), ref: 0044A8D3
                                                                                                                              • _strlen.LIBCMT ref: 0044A94A
                                                                                                                              • FindFirstFileA.KERNEL32(?,?,?,00000000,?,00000104,?,?,000000A8,?,00000020,0042D4B5,00000000,?,00000000,00000000), ref: 0044A96A
                                                                                                                              • FindClose.KERNEL32(00000000,?,000000A8,?,00000020,0042D4B5,00000000,?,00000000,00000000,?,?,00000004,00000000,00000000,00000000), ref: 0044A999
                                                                                                                                • Part of subcall function 00449EEE: __time64.LIBCMT ref: 00449F08
                                                                                                                                • Part of subcall function 00449EEE: FileTimeToLocalFileTime.KERNEL32(00000001,?,?), ref: 00449F18
                                                                                                                                • Part of subcall function 00449EEE: FileTimeToSystemTime.KERNEL32(?,?), ref: 00449F2E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: File$Time$FindH_prolog3_$AttributesCloseFirstFullLocalNamePathSystem__time64_strlenlstrcpyn
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1443709101-0
                                                                                                                              • Opcode ID: bb1f59f4a2ce2df39f976b3940a659704abf967065a412d95eeb99e17433bd1c
                                                                                                                              • Instruction ID: 547087156e1b8dbc7c1312de2c0fcb0f0398db75342f1282b9abed4c34935f12
                                                                                                                              • Opcode Fuzzy Hash: bb1f59f4a2ce2df39f976b3940a659704abf967065a412d95eeb99e17433bd1c
                                                                                                                              • Instruction Fuzzy Hash: 3741AF71800605DFDB20EF64CC85ADAB7B8EF45318F1045AEE059EB291DB38AE85CF55
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044A06A Relevance: 4.5, APIs: 3, Instructions: 35fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0044A074
                                                                                                                              • FindFirstFileA.KERNEL32(?,?,00000148,0041F1AF,?,?,?,?,00000104,?,00000000), ref: 0044A089
                                                                                                                                • Part of subcall function 00449FCA: __EH_prolog3.LIBCMT ref: 00449FD1
                                                                                                                              • FindClose.KERNEL32(00000000,?,?,00000001,?,?,?,?,?,?,00000104,?,00000000), ref: 0044A0C6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Find$CloseFileFirstH_prolog3H_prolog3_
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 681597840-0
                                                                                                                              • Opcode ID: 4a2f8fec65b44455310301669a2b02166963b59768817b5c6cfaf28988d38d44
                                                                                                                              • Instruction ID: d5eeee8bf188be13c2627145fae7f78397d92feb1d62001dd3b4fb4c16845359
                                                                                                                              • Opcode Fuzzy Hash: 4a2f8fec65b44455310301669a2b02166963b59768817b5c6cfaf28988d38d44
                                                                                                                              • Instruction Fuzzy Hash: ECF0A431510408ABD719BF54CC45AFE7B29BF44329F04425AB825A62D1CF346E458B65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004D5333 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Activate
                                                                                                                              • String ID: Button
                                                                                                                              • API String ID: 1326475003-1034594571
                                                                                                                              • Opcode ID: 15474d3ee7b3c14adb3dc7ce1514338a61810708b25eb9e108c16c8a97a919dc
                                                                                                                              • Instruction ID: d57b847bfd3ac7269c7f149f3e769002f634bc7c7c63fce177c4daf3222b22e9
                                                                                                                              • Opcode Fuzzy Hash: 15474d3ee7b3c14adb3dc7ce1514338a61810708b25eb9e108c16c8a97a919dc
                                                                                                                              • Instruction Fuzzy Hash: 0BF09072D00208EBCF00DF96D845ADEBBF8EF48324F14406BE904F7200E674AA49CBA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00473280 Relevance: 205.7, APIs: 90, Strings: 27, Instructions: 935COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 0 473280-473308 __EH_prolog3_GS call 459443 call 4597a0 call 4593ca call 5b5910 call 4b56a0 call 4015ec call 401bab call 564c08 call 45237e 18 47330d-47333b call 401962 call 40124d 0->18 23 473354-4733bc call 4450e5 call 4b56a0 call 4015ec call 4b56a0 call 4015ec call 4b56a0 call 4015ec 18->23 24 47333d-47334f call 401962 18->24 52 4733c2-4733c5 23->52 53 47372c-47372f 23->53 29 473f00-473f4e call 4593d3 lua_pushstring call 52b591 call 40124d * 2 call 5b528a 24->29 56 4736e6-473727 _strlen call 40181f _strlen call 40181f _strlen 52->56 57 4733cb-4733ce 52->57 54 473735 53->54 55 4738fd-473900 53->55 58 4738af-4738f8 _strlen call 40181f _strlen call 40181f _strlen 54->58 59 47373b-47373e 54->59 60 473906-473909 55->60 61 4739f3-473a2f _strlen call 40181f _strlen call 40181f _strlen 55->61 110 473a34-473a3a call 40181f 56->110 62 473574-473577 57->62 63 4733d4 57->63 58->110 66 473744-473746 59->66 67 473871-4738aa _strlen call 40181f _strlen call 40181f _strlen 59->67 68 4739b0-4739f1 _strlen call 40181f _strlen call 40181f _strlen 60->68 69 47390f-473910 60->69 61->110 74 47357d-473580 62->74 75 4736a8-4736e1 _strlen call 40181f _strlen call 40181f _strlen 62->75 71 473536-47356f _strlen call 40181f _strlen call 40181f _strlen 63->71 72 4733da-4733dc 63->72 77 473833-47386c _strlen call 40181f _strlen call 40181f _strlen 66->77 78 47374c-47374f 66->78 67->110 68->110 81 473912-473913 69->81 82 47396a-4739ab _strlen call 40181f _strlen call 40181f _strlen 69->82 71->110 85 4733e2-4733e5 72->85 86 4734f8-473531 _strlen call 40181f _strlen call 40181f _strlen 72->86 89 473586-473588 74->89 90 47366a-4736a3 _strlen call 40181f _strlen call 40181f _strlen 74->90 75->110 77->110 94 473755-473758 78->94 95 4737ed-47382e _strlen call 40181f _strlen call 40181f _strlen 78->95 96 473915-47391f 81->96 97 473924-473965 _strlen call 40181f _strlen call 40181f _strlen 81->97 82->110 106 4733eb-4733ed 85->106 107 4734ba-4734f3 _strlen call 40181f _strlen call 40181f _strlen 85->107 86->110 91 473624-473665 _strlen call 40181f _strlen call 40181f _strlen 89->91 92 47358e-47358f 89->92 90->110 91->110 111 473591-473592 92->111 112 4735de-47361f _strlen call 40181f _strlen call 40181f _strlen 92->112 114 47379f-4737e8 _strlen call 40181f _strlen call 40181f _strlen 94->114 115 47375a-47375b 94->115 95->110 116 473a3f-473a8b call 4454da call 445507 call 445534 call 445632 96->116 97->110 129 4733f3-4733f6 106->129 130 47347c-4734b5 _strlen call 40181f _strlen call 40181f _strlen 106->130 107->110 110->116 111->96 133 473598-4735d9 _strlen call 40181f _strlen call 40181f _strlen 111->133 112->110 114->110 115->96 134 473761-47379a _strlen call 40181f _strlen call 40181f _strlen 115->134 198 473a8d-473ae4 call 401bab call 445f5e call 401962 call 40124d 116->198 199 473af8-473b11 GetVersionExA 116->199 149 47343e-473477 _strlen call 40181f _strlen call 40181f _strlen 129->149 150 4733f8-4733fa 129->150 130->110 133->110 134->110 149->110 150->96 168 473400-473439 _strlen call 40181f _strlen call 40181f _strlen 150->168 168->110 198->199 241 473ae6-473af3 call 401962 198->241 201 473b17-473b29 call 402391 199->201 202 473ec1-473efa call 40124d * 3 call 444abd 199->202 201->202 211 473b2f-473b36 201->211 202->29 211->202 214 473b3c-473b45 211->214 217 473ce0-473ce3 214->217 218 473b4b 214->218 220 473de3-473de6 217->220 221 473ce9 217->221 223 473b51-473b54 218->223 224 473cae-473cdb _strlen call 40181f _strlen call 40181f 218->224 226 473dfd-473e49 call 4454da call 445507 call 445534 call 445632 220->226 227 473de8-473deb 220->227 229 473da7-473dd9 _strlen call 40181f _strlen call 40181f 221->229 230 473cef-473cf2 221->230 232 473bfb-473bfe 223->232 233 473b5a 223->233 267 473be2-473bf6 _strlen call 40181f 224->267 226->202 309 473e4b-473ea1 call 401bab call 445f5e call 401962 call 40124d 226->309 227->226 236 473ded-473dee 227->236 229->220 230->226 238 473cf8-473cfa 230->238 232->226 240 473c04-473c07 232->240 242 473bb5-473bdd _strlen call 40181f _strlen call 40181f 233->242 243 473b5c-473b5e 233->243 236->226 247 473df0-473df1 236->247 248 473d75-473d9d _strlen call 40181f _strlen call 40181f 238->248 249 473cfc-473cff 238->249 240->226 251 473c0d-473c0f 240->251 241->199 242->267 243->226 253 473b64-473b67 243->253 247->226 257 473df3 247->257 248->229 258 473d43-473d6b _strlen call 40181f _strlen call 40181f 249->258 259 473d01-473d04 249->259 261 473c11-473c12 251->261 262 473c7c-473ca9 _strlen call 40181f _strlen call 40181f 251->262 253->226 264 473b6d-473b6f 253->264 257->226 258->248 259->226 269 473d0a-473d0b 259->269 271 473c14-473c15 261->271 272 473c4a-473c77 _strlen call 40181f _strlen call 40181f 261->272 262->267 264->226 265 473b75-473b78 264->265 265->226 277 473b7e-473b80 265->277 267->226 269->257 280 473d11-473d39 _strlen call 40181f _strlen call 40181f 269->280 271->257 282 473c1b-473c48 _strlen call 40181f _strlen call 40181f 271->282 272->267 277->257 287 473b86-473bb3 _strlen call 40181f _strlen call 40181f 277->287 280->258 282->267 287->267 320 473eb7 309->320 321 473ea3-473eb5 call 401962 309->321 320->202 321->202
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0047328A
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0045237E: __EH_prolog3_GS.LIBCMT ref: 00452388
                                                                                                                                • Part of subcall function 0045237E: SHGetSpecialFolderLocation.SHELL32 ref: 004523C6
                                                                                                                                • Part of subcall function 0045237E: SHGetPathFromIDList.SHELL32(?,?), ref: 004523DD
                                                                                                                                • Part of subcall function 0045237E: SHGetMalloc.SHELL32(?), ref: 004523EE
                                                                                                                                • Part of subcall function 0045237E: lstrlen.KERNEL32(?), ref: 00452421
                                                                                                                                • Part of subcall function 0045237E: lstrlen.KERNEL32(?), ref: 0045242D
                                                                                                                              • _strlen.LIBCMT ref: 00473401
                                                                                                                              • _strlen.LIBCMT ref: 00473415
                                                                                                                              • _strlen.LIBCMT ref: 0047342D
                                                                                                                                • Part of subcall function 004593D3: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 004593E5
                                                                                                                                • Part of subcall function 004593D3: lua_pushstring.LUA5.1(?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 004593F0
                                                                                                                                • Part of subcall function 004593D3: lua_gettable.LUA5.1(?,000000FE,?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 004593F8
                                                                                                                                • Part of subcall function 004593D3: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 00459400
                                                                                                                                • Part of subcall function 004593D3: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 00459408
                                                                                                                                • Part of subcall function 004593D3: lua_pushnumber.LUA5.1(?,?,?,?,?,?,?,?,?,?,?,00407717,?,00000000), ref: 0045941E
                                                                                                                                • Part of subcall function 004593D3: lua_pcall.LUA5.1(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00407717), ref: 0045942A
                                                                                                                                • Part of subcall function 004593D3: lua_remove.LUA5.1(?,000000FF,?,?,?,?,?,?,?,?,00407717,?,00000000), ref: 00459439
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,?), ref: 00473F13
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_remove.$_strlenlua_pushstring.$H_prolog3H_prolog3_lstrlenlua_getfield.lua_gettable.lua_pcall.lua_type.$FolderFromListLocationMallocPathSpeciallua_gettop.lua_pushnumber.
                                                                                                                              • String ID: AppData$Common AppData$Common Desktop$Common Documents$Common Programs$Common Start Menu$Common Startup$CommonFilesDir$CommonMusic$CommonPictures$CommonVideo$CurrentUser$Desktop$Fonts$Local AppData$LocalMachine$My Music$My Pictures$My Video$Personal$ProgramFilesDir$Programs$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$Software\Microsoft\Windows\CurrentVersion$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$Start Menu$Startup
                                                                                                                              • API String ID: 565944079-2480596902
                                                                                                                              • Opcode ID: f1164faa057dd2656b83bac0a1b432808a60f44b90e705be719fad21e1d5dbf5
                                                                                                                              • Instruction ID: df3980fa5d7cc877e0828f4ae111cec05e55fd3cadfa10da577760ea6d30b593
                                                                                                                              • Opcode Fuzzy Hash: f1164faa057dd2656b83bac0a1b432808a60f44b90e705be719fad21e1d5dbf5
                                                                                                                              • Instruction Fuzzy Hash: 7352E762501119AEEB25BB20DC4BFFE772DEF41705F1080AEF509650D3DE782F89992A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0041AD87 Relevance: 157.2, APIs: 13, Strings: 76, Instructions: 1403COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 324 41ad87-41b448 __EH_prolog3_GS call 4b56a0 call 4015ec call 401bab call 40d56a _strlen call 403c07 call 4014a6 call 401bab call 40c505 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41dc12 call 401bab call 40c505 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41dc12 call 401bab call 40c505 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 458416 511 41b636-41b782 call 401bab call 41ac26 call 401962 call 40124d call 4014a6 call 401bab call 41dd58 call 4014a6 call 401bab call 40c505 call 401bab call 41ac26 call 401962 call 40124d call 4014a6 324->511 512 41b44e-41b499 ExpandEnvironmentStringsA _strlen call 40181f call 402391 324->512 572 41b786-41b985 call 401bab call 41dd58 call 401bab call 41ac26 call 401bab call 41dd58 call 401bab call 41dc12 call 401bab call 40c505 call 401bab call 41ac26 call 401bab call 41dd58 GetSystemDirectoryA _strlen call 40181f call 405ab7 call 4014a6 call 401bab call 41dd58 call 401bab call 41dc12 call 401bab call 40c505 GetWindowsDirectoryA 511->572 521 41b49b-41b4d5 call 401bab call 41ac26 call 401962 call 40124d 512->521 522 41b4da-41b5c0 call 4014a6 call 401bab call 41dd58 call 4014a6 call 401bab call 40c505 ExpandEnvironmentStringsA _strlen call 40181f call 402391 512->522 521->522 563 41b5c2-41b600 call 401bab call 41ac26 call 401962 call 40124d 522->563 564 41b605-41b631 call 4014a6 522->564 563->564 564->572 630 41b987-41b9b7 _strlen call 40181f call 405ab7 572->630 631 41b9b9-41b9c8 _strlen call 40181f 572->631 635 41b9cd-41baae call 4014a6 call 401bab call 41dd58 call 401bab call 41dc12 call 401bab call 40c505 call 401bab call 41dc12 call 401962 call 40124d 630->635 631->635 660 41bab0-41bae5 call 403bc0 call 401bab call 41dd58 635->660 661 41baea-41bafe GetTempPathA 635->661 660->661 663 41bb00-41bb52 _strlen call 40181f call 405ab7 call 4014a6 661->663 664 41bb54-41bb7d call 401bab call 41dc12 661->664 677 41bb7e-41bd4a call 401bab call 41dd58 call 401bab call 41dc12 call 401bab call 40c505 call 401962 call 405ab7 call 4014a6 call 401bab call 41dd58 call 401bab call 41dc12 call 401bab call 40c505 call 44ff3b call 4450e5 call 401bab * 2 call 41dd58 call 401bab * 2 call 41dd58 663->677 664->677 726 41bd50-41bd9c call 4449c8 call 4454da call 445507 call 445534 call 445632 677->726 727 41be8f-41bedb call 4449c8 call 4454da call 445507 call 445534 call 445632 677->727 750 41bdf7-41be49 call 4449c8 call 4454da call 445507 call 445534 call 445632 726->750 751 41bd9e-41bdf2 call 401bab call 445f5e call 401bab call 41dd58 726->751 748 41bf3b-41bf8d call 4449c8 call 4454da call 445507 call 445534 call 445632 727->748 749 41bedd-41bf0f call 401bab call 445f5e 727->749 787 41bfe8-41c15b call 401bab call 41dc12 call 401962 call 40124d call 403bc0 call 401962 call 40124d call 4014a6 call 401bab call 41dd58 call 41a93e call 401bab call 41dd58 call 401bab * 2 call 40c505 call 401bab * 2 call 40c505 call 41a0b2 748->787 789 41bf8f-41bfc1 call 401bab call 445f5e 748->789 765 41bf14-41bf36 call 401bab call 41dd58 749->765 750->787 788 41be4f-41be8a call 401bab call 445f5e 750->788 751->750 765->748 841 41c160-41c198 call 444abd call 44ff0b call 40124d * 2 call 5b528a 787->841 803 41bfca-41bfe3 call 401bab call 41dd58 788->803 801 41bfc6 789->801 801->803 803->787
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0041AD91
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0040D56A: __EH_prolog3.LIBCMT ref: 0040D571
                                                                                                                                • Part of subcall function 0040D56A: lua_getfield.LUA5.1(?,FFFFD8EE,?,?,?,?,?,00000004), ref: 0040D59D
                                                                                                                                • Part of subcall function 0040D56A: lua_isstring.LUA5.1(?,000000FF,?,FFFFD8EE,?,?,?,?,?,00000004), ref: 0040D5A7
                                                                                                                                • Part of subcall function 0040D56A: lua_tolstring.LUA5.1(?,000000FF,00000000), ref: 0040D5BA
                                                                                                                                • Part of subcall function 0040D56A: lua_remove.LUA5.1(?,000000FF), ref: 0040D5D0
                                                                                                                              • _strlen.LIBCMT ref: 0041ADE3
                                                                                                                                • Part of subcall function 00403C07: _strnlen.LIBCMT ref: 00403C37
                                                                                                                                • Part of subcall function 00403C07: _memcpy_s.LIBCMT ref: 00403C6B
                                                                                                                                • Part of subcall function 0040C505: lua_pushstring.LUA5.1(?,?), ref: 0040C511
                                                                                                                                • Part of subcall function 0040C505: lua_setfield.LUA5.1(?,FFFFD8EE,?,?,?), ref: 0040C521
                                                                                                                                • Part of subcall function 0041AC26: __EH_prolog3.LIBCMT ref: 0041AC2D
                                                                                                                                • Part of subcall function 0041DD58: __EH_prolog3_GS.LIBCMT ref: 0041DD62
                                                                                                                                • Part of subcall function 0041AC26: lua_getfield.LUA5.1(00000000,FFFFD8EE,Shell,?,00000000,00000008), ref: 0041ACBA
                                                                                                                                • Part of subcall function 0041AC26: lua_type.LUA5.1(00000000,?,00000000,FFFFD8EE,Shell,?,00000000,00000008), ref: 0041ACC4
                                                                                                                                • Part of subcall function 0041AC26: lua_pushstring.LUA5.1(00000000,GetFolder), ref: 0041ACD7
                                                                                                                                • Part of subcall function 0041AC26: lua_gettable.LUA5.1(00000000,000000FE,00000000,GetFolder), ref: 0041ACDF
                                                                                                                                • Part of subcall function 0041AC26: lua_remove.LUA5.1(00000000,000000FE,00000000,000000FE,00000000,GetFolder), ref: 0041ACE7
                                                                                                                                • Part of subcall function 0041AC26: lua_type.LUA5.1(00000000,?,00000000,000000FE,00000000,000000FE,00000000,GetFolder), ref: 0041ACEE
                                                                                                                                • Part of subcall function 0041AC26: lua_pushnumber.LUA5.1(00000000), ref: 0041AD04
                                                                                                                                • Part of subcall function 0041AC26: lua_pcall.LUA5.1(00000000,00000001,00000001,00000000,00000000), ref: 0041AD0F
                                                                                                                                • Part of subcall function 0041AC26: lua_isstring.LUA5.1(00000000), ref: 0041AD1D
                                                                                                                                • Part of subcall function 0041AC26: lua_tolstring.LUA5.1(00000000,?,00000000), ref: 0041AD2B
                                                                                                                                • Part of subcall function 0041AC26: lua_settop.LUA5.1(00000000,00000000), ref: 0041AD4F
                                                                                                                                • Part of subcall function 0041DD58: __splitpath_s.LIBCMT ref: 0041DEB0
                                                                                                                                • Part of subcall function 0041DD58: _strlen.LIBCMT ref: 0041DEBC
                                                                                                                                • Part of subcall function 0041AC26: lua_remove.LUA5.1(00000000), ref: 0041AD46
                                                                                                                                • Part of subcall function 0041DC12: __EH_prolog3.LIBCMT ref: 0041DC19
                                                                                                                                • Part of subcall function 00458416: GetModuleHandleA.KERNEL32(kernel32.dll,0074DE40,?,0041B446,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 00458423
                                                                                                                                • Part of subcall function 00458416: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00458434
                                                                                                                                • Part of subcall function 00458416: GetCurrentProcess.KERNEL32(00000000,?,?,0041B446,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 00458444
                                                                                                                              • ExpandEnvironmentStringsA.KERNEL32(%ProgramW6432%,?,00000400,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0041B460
                                                                                                                              • _strlen.LIBCMT ref: 0041B46D
                                                                                                                              • ExpandEnvironmentStringsA.KERNEL32(%CommonProgramW6432%,?,00000400,?,?,00000000,%ProgramW6432%,?,00000000,?,?,00000000,?,?,00000000), ref: 0041B588
                                                                                                                              • _strlen.LIBCMT ref: 0041B595
                                                                                                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041B89E
                                                                                                                              • _strlen.LIBCMT ref: 0041B8AB
                                                                                                                                • Part of subcall function 0040181F: _memmove_s.LIBCMT ref: 00401866
                                                                                                                                • Part of subcall function 00405AB7: __mbsinc.LIBCMT ref: 00405AF2
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                              • GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,?,?,00000000,?,00000000,?,?,00000000), ref: 0041B978
                                                                                                                              • _strlen.LIBCMT ref: 0041B98E
                                                                                                                                • Part of subcall function 0040181F: _memcpy_s.LIBCMT ref: 00401876
                                                                                                                                • Part of subcall function 0044FF3B: __EH_prolog3_GS.LIBCMT ref: 0044FF45
                                                                                                                                • Part of subcall function 0044FF3B: GetVersionExA.KERNEL32 ref: 0044FFAD
                                                                                                                                • Part of subcall function 00445632: __EH_prolog3.LIBCMT ref: 00445639
                                                                                                                                • Part of subcall function 00445F5E: __EH_prolog3.LIBCMT ref: 00445F65
                                                                                                                                • Part of subcall function 0041A0B2: __EH_prolog3.LIBCMT ref: 0041A0B9
                                                                                                                              • _strlen.LIBCMT ref: 0041B9BA
                                                                                                                              • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,006985B8,00000000,?,?,?,?,00000000), ref: 0041BAF6
                                                                                                                              • _strlen.LIBCMT ref: 0041BB07
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _strlen$H_prolog3$H_prolog3__memcpy_slua_remove.$DirectoryEnvironmentExpandStringslua_getfield.lua_isstring.lua_pushstring.lua_tolstring.lua_type.$AddressCurrentHandleModulePathProcProcessSystemTempVersionWindows__mbsinc__splitpath_s_memmove_s_strnlenlua_gettable.lua_pcall.lua_pushnumber.lua_setfield.lua_settop.
                                                                                                                              • String ID: %AppDrive%$%AppFolder%$%ApplicationDataFolder%$%ApplicationDataFolderCommon%$%CommonDocumentsFolder%$%CommonFilesFolder%$%CommonFilesFolder64%$%CommonProgramW6432%$%DAOPath%$%DesktopFolder%$%DesktopFolderCommon%$%FontsFolder%$%MyDocumentsFolder%$%MyMusicFolder%$%MyMusicFolderCommon%$%MyPicturesFolder%$%MyPicturesFolderCommon%$%MyVideosFolder%$%MyVideosFolderCommon%$%ProgramFilesFolder%$%ProgramFilesFolder64%$%ProgramW6432%$%RegOrganization%$%RegOwner%$%SourceFolder%$%StartFolder%$%StartFolderCommon%$%StartProgramsFolder%$%StartProgramsFolderCommon%$%StartupFolder%$%StartupFolderCommon%$%SystemDrive%$%SystemFolder%$%TempFolder%$%TempLaunchFolder%$%WindowsFolder%$0$;?;?.lua$LUA_PATH$LocalMachine$RegisteredOrganization$RegisteredOwner$SHF_APPLICATIONDATA$SHF_APPLICATIONDATA_COMMON$SHF_COMMONFILES$SHF_COMMON_DOCUMENTS$SHF_DESKTOP$SHF_DESKTOP_COMMON$SHF_FONTS$SHF_MYDOCUMENTS$SHF_MYMUSIC$SHF_MYMUSIC_COMMON$SHF_MYPICTURES$SHF_MYPICTURES_COMMON$SHF_MYVIDEOS$SHF_MYVIDEOS_COMMON$SHF_PROGRAMFILES$SHF_STARTMENU$SHF_STARTMENUPROGRAMS$SHF_STARTMENUPROGRAMS_COMMON$SHF_STARTMENU_COMMON$SHF_STARTUP$SHF_STARTUP_COMMON$SUF80$SUF9$Software\Microsoft\Windows NT\CurrentVersion$Software\Microsoft\Windows\CurrentVersion$_DesktopFolder$_DesktopFolderCommon$_IR_ProductID$_ProgramFilesFolder$_ProgramFilesFolder64$_SystemFolder$_TempFolder$_TempLaunchFolder$_WindowsFolder
                                                                                                                              • API String ID: 3182814728-2820401366
                                                                                                                              • Opcode ID: 12acaab1bb8452d3fa9e2b264f78b7cffc45a6ee502d98dc25e319b1acc67ff8
                                                                                                                              • Instruction ID: 0b4b13973a95d18aa85d715952d4abcb100da8110f6399218f55ead5f45302fe
                                                                                                                              • Opcode Fuzzy Hash: 12acaab1bb8452d3fa9e2b264f78b7cffc45a6ee502d98dc25e319b1acc67ff8
                                                                                                                              • Instruction Fuzzy Hash: 6CB257B0E10658ABCB149B59CD57BDE7BB99F49715F0001DEB009732C2DA781B848FEA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00427EB5 Relevance: 111.4, APIs: 19, Strings: 44, Instructions: 1144windowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 852 427eb5-427f95 __EH_prolog3_GS call 4b56a0 call 4015ec call 4b56a0 call 4015ec call 401bab call 43c227 call 401962 call 40124d _strlen call 403c07 call 418e87 call 417a93 call 417fe8 877 4286a5-4286bf call 4179f8 852->877 878 427f9b-42857f call 4b6232 call 401bab call 43c227 call 418503 call 40124d call 401bab call 43c227 call 418503 call 40124d call 401bab call 43c227 call 418503 call 40124d call 401bab call 43c227 call 418503 call 40124d call 401bab call 43c227 call 418503 call 40124d call 401bab call 43c227 call 418503 call 40124d call 401bab call 43c227 call 418503 call 40124d call 401bab call 43c227 call 418503 call 40124d call 401bab call 43c227 call 418503 call 40124d call 401bab call 418503 call 40124d call 401bab call 43c227 call 418503 call 40124d call 401bab call 43c227 call 418503 call 40124d call 401bab call 43c227 call 418503 call 40124d call 401bab call 43c227 call 418503 call 40124d call 401bab call 43c227 call 418503 call 40124d call 401bab call 43c227 call 418503 call 40124d call 401bab call 43c227 call 40c75b call 405b76 call 418503 call 40124d * 3 call 401bab call 43c227 call 40c75b call 418503 call 40124d * 2 call 401bab call 43c227 call 40c75b call 418503 call 40124d * 2 call 418ec5 call 4b56a0 call 4015ec 852->878 883 428813-42882b GetSystemMetrics 877->883 884 4286c5-4286f1 _memset GlobalMemoryStatusEx 877->884 1275 4285bf-4285c1 878->1275 889 4288f0-428904 GetSystemMetrics 883->889 890 428831-4288eb call 4b56a0 call 4015ec call 401bab call 43c227 call 40258d call 40124d call 405b76 call 403c07 call 40124d _strlen call 40181f call 40124d 883->890 887 4286f3-4286f6 884->887 888 4286f8-4286fb 884->888 887->888 892 4286fe-428708 887->892 888->892 894 4289d1 889->894 895 42890a-4289ca call 4b56a0 call 4015ec call 401bab call 43c227 call 40258d call 40124d call 405b76 call 403c07 call 40124d _strlen call 40181f call 40124d 889->895 890->889 892->883 897 42870e 892->897 898 4289d3-428a26 GetDesktopWindow call 4bbea4 GetDC call 4b7bce GetDeviceCaps GetDesktopWindow call 4bbea4 ReleaseDC 894->898 895->898 903 428710-428713 897->903 904 428719-428811 call 4b56a0 call 4015ec call 401bab call 43c227 call 401bab call 43c227 call 40258d call 40124d * 2 call 405b76 call 403c07 call 40124d _strlen call 40181f call 40124d 897->904 936 428b24 call 458fc6 898->936 937 428a2c-428b1f call 4b56a0 call 4015ec call 401bab call 43c227 call 401bab call 43c227 call 40258d call 40124d * 2 call 405b76 call 403c07 call 40124d _strlen call 40181f call 40124d 898->937 903->883 903->904 904->883 949 428b29-428b2b 936->949 937->936 955 428b31-428b3c 949->955 956 428c2f-428c32 949->956 955->956 964 428b42-428c2a call 4b56a0 call 4015ec call 401bab call 43c227 call 401bab call 43c227 call 40258d call 40124d * 2 call 405b76 call 403c07 call 40124d _strlen call 40181f call 40124d 955->964 961 428c38-428c47 956->961 962 428d7c-428d95 call 43a00f 956->962 971 428c49 961->971 972 428c4c-428cb3 call 40c75b call 405b76 call 43a00f call 40124d * 2 call 440d07 961->972 985 428e4a-428e68 call 40124d * 2 call 5b528a 962->985 964->956 971->972 972->985 1060 428cb9-428ccb 972->1060 1065 428cd1-428d77 call 401bab call 43c227 call 40c75b call 403c07 call 40124d * 2 call 401bab call 43c227 call 403787 MessageBoxA call 40124d 1060->1065 1066 428d9a-428e45 call 401bab call 43c227 call 40c75b call 403c07 call 40124d * 2 call 401bab call 43c227 call 403787 MessageBoxA call 40124d 1060->1066 1065->985 1066->985 1153 428e47 1066->1153 1153->985 1276 4285c3-4286a3 call 405ab7 call 401bab call 43c227 call 405b76 call 405b1f call 405b76 call 403c07 call 40124d * 4 _strlen call 40181f call 40124d call 4b6360 1275->1276 1277 428581-428585 1275->1277 1276->877 1279 42858b-4285ba call 405b76 call 403c07 call 40124d 1277->1279 1280 4289cc call 4b4c5c 1277->1280 1279->1275 1280->894
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00427EBF
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C22E
                                                                                                                              • _strlen.LIBCMT ref: 00427F33
                                                                                                                                • Part of subcall function 00403C07: _strnlen.LIBCMT ref: 00403C37
                                                                                                                                • Part of subcall function 00403C07: _memcpy_s.LIBCMT ref: 00403C6B
                                                                                                                                • Part of subcall function 00418E87: __EH_prolog3.LIBCMT ref: 00418E8E
                                                                                                                                • Part of subcall function 00417A93: _memset.LIBCMT ref: 00417ABE
                                                                                                                                • Part of subcall function 00417A93: GetVersionExA.KERNEL32(?,00000000,?), ref: 00417AD9
                                                                                                                                • Part of subcall function 00417A93: GetVersionExA.KERNEL32(?), ref: 00417AF0
                                                                                                                              • _strlen.LIBCMT ref: 00428679
                                                                                                                              • _memset.LIBCMT ref: 004286CE
                                                                                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 004286DD
                                                                                                                              • _strlen.LIBCMT ref: 004287F2
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C2C6
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C33E
                                                                                                                                • Part of subcall function 0043C227: lua_settop.LUA5.1(00000000,00000000,00000000,00000000,00000000,00000008,00404284,?,?,00000010,00000000,00000000,00000000,00000000,000000B8), ref: 0043C35B
                                                                                                                                • Part of subcall function 0043C227: lua_getfield.LUA5.1(00000000,FFFFD8EE,_tblErrorMessages,00000000,00000000,00000000,00000000,00000000,00000008,00404284,?,?,00000010,00000000,00000000,00000000), ref: 0043C36B
                                                                                                                                • Part of subcall function 0043C227: lua_pushnumber.LUA5.1(00000000), ref: 0043C37A
                                                                                                                                • Part of subcall function 0043C227: lua_pushstring.LUA5.1(00000000,00000000), ref: 0043C3A6
                                                                                                                                • Part of subcall function 0043C227: lua_settable.LUA5.1(00000000,000000FD), ref: 0043C3BB
                                                                                                                                • Part of subcall function 0043C227: lua_settop.LUA5.1(00000000,000000FE,00000000,000000FD), ref: 0043C3C3
                                                                                                                                • Part of subcall function 00418503: __EH_prolog3.LIBCMT ref: 0041853B
                                                                                                                                • Part of subcall function 0040C75B: __EH_prolog3.LIBCMT ref: 0040C762
                                                                                                                                • Part of subcall function 00405B76: __EH_prolog3.LIBCMT ref: 00405B7D
                                                                                                                                • Part of subcall function 0040C75B: _strlen.LIBCMT ref: 0040C79F
                                                                                                                                • Part of subcall function 00418EC5: __EH_prolog3.LIBCMT ref: 00418ECC
                                                                                                                              • GetSystemMetrics.USER32(00000000), ref: 00428814
                                                                                                                              • _strlen.LIBCMT ref: 004288D1
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              • GetSystemMetrics.USER32(00000001), ref: 004288F2
                                                                                                                              • _strlen.LIBCMT ref: 004289AB
                                                                                                                              • GetDesktopWindow.USER32 ref: 004289D9
                                                                                                                              • GetDC.USER32(?), ref: 004289E4
                                                                                                                              • GetDeviceCaps.GDI32(?,0000000C), ref: 004289F8
                                                                                                                              • GetDesktopWindow.USER32 ref: 00428A01
                                                                                                                              • _strlen.LIBCMT ref: 00428C10
                                                                                                                                • Part of subcall function 0040181F: _memcpy_s.LIBCMT ref: 00401876
                                                                                                                              • _strlen.LIBCMT ref: 00428B05
                                                                                                                                • Part of subcall function 0040181F: _memmove_s.LIBCMT ref: 00401866
                                                                                                                                • Part of subcall function 00458FC6: GetVersionExA.KERNEL32(?,00000000), ref: 00458FF3
                                                                                                                              • ReleaseDC.USER32(?,00000001), ref: 00428A12
                                                                                                                                • Part of subcall function 00405B76: _strlen.LIBCMT ref: 00405BB5
                                                                                                                              • MessageBoxA.USER32(?,?,00000000,?), ref: 00428D66
                                                                                                                              • MessageBoxA.USER32(?,?,00000000,?), ref: 00428E2F
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_strlen$Version$DesktopMessageMetricsSystemWindow_memcpy_s_memsetlua_settop.$CapsDeviceException@8GlobalH_prolog3_MemoryReleaseStatusThrow_memmove_s_strnlenlua_getfield.lua_pushnumber.lua_pushstring.lua_settable.
                                                                                                                              • String ID: $%s: %d$%s: %d %s$%s: %s$;$Administrator$Color Depth$MSG_BITSPERPIXEL$MSG_NOTICE$MSG_OS_ALL$MSG_OS_NONE$MSG_OS_PART_A$MSG_OS_PART_B$MSG_OS_PART_C$MSG_OS_PART_NOSERVPACK$MSG_OS_PART_ORNEWER$MSG_OS_PART_SE$MSG_OS_PART_SERVPACK$MSG_OS_UNKNOWN$MSG_OS_W7$MSG_OS_W8$MSG_OS_WSRV2003$MSG_OS_WSRV2008$MSG_OS_WSRV2008_R2$MSG_OS_WSRV2012$MSG_OS_WVISTA$MSG_OS_WXP$MSG_SIZE_MEGABYTES$MSG_SYSREQ_ABORT$MSG_SYSREQ_COLORDEPTH$MSG_SYSREQ_NOTMET$MSG_SYSREQ_OS$MSG_SYSREQ_RAM$MSG_SYSREQ_SCREENHEIGHT$MSG_SYSREQ_SCREENWIDTH$MSG_SYSREQ_SYSTEMADMIN$MSG_SYSREQ_USERPERMISSION$MSG_SYSREQ_WARN$Operating System$RAM$Screen Height$Screen Width$System requirements check$System requirements check (
                                                                                                                              • API String ID: 2515474635-2171012533
                                                                                                                              • Opcode ID: 6d591495275eeb0fa1b1ecc800a1be675e2e5f79365b45e657152c7f14d656b6
                                                                                                                              • Instruction ID: 4226f85bc195d0106a14c5e3ff12855e4264d12d1b42efd4ece696740f155b80
                                                                                                                              • Opcode Fuzzy Hash: 6d591495275eeb0fa1b1ecc800a1be675e2e5f79365b45e657152c7f14d656b6
                                                                                                                              • Instruction Fuzzy Hash: 4FA26170D00188AFDB04EBE9CD51AED7B79AF15328F14415EF116BB2D2DB781A04CB6A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0042DBAE Relevance: 88.9, APIs: 23, Strings: 27, Instructions: 1383windowfileCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1314 42dbae-42dcfa 1316 42dd00-42dd06 1314->1316 1317 42f208-42f20e 1314->1317 1318 42f21e-42f24a 1316->1318 1319 42dd0c-42ddf7 call 4014a6 call 440c8a call 401962 call 40124d call 401962 1316->1319 1317->1318 1320 42f210-42f213 1317->1320 1323 42f253-42f259 1318->1323 1324 42f24c-42f24e 1318->1324 1353 42f342-430861 call 4012ee __EH_prolog3_GS call 5b528a 1319->1353 1354 42ddfd-42ddff 1319->1354 1320->1318 1322 42f215-42f218 DeleteFileA 1320->1322 1322->1318 1326 42f270-42f276 1323->1326 1327 42f25b-42f263 1323->1327 1324->1323 1330 42f284-42f33c call 4096c2 call 42019e call 40124d * 5 call 403926 call 40124d * 3 call 5b518f 1326->1330 1331 42f278-42f283 call 4b3cb9 1326->1331 1327->1326 1329 42f265-42f26a call 4096a2 1327->1329 1329->1326 1331->1330 1354->1353 1357 42de05-42de09 1354->1357 1358 42de27-42defa call 403c07 call 401962 * 3 call 4b56a0 call 4015ec call 4b56a0 call 4015ec call 42ab68 1357->1358 1359 42de0b-42de22 _strlen call 403c07 1357->1359 1399 42df00-42df13 call 405411 1358->1399 1400 42ed1e-42ed3b call 404c81 1358->1400 1359->1358 1407 42df15-42df58 call 40c75b call 43a00f call 40124d 1399->1407 1408 42df5d-42df8e call 4014a6 call 427ab9 1399->1408 1405 42ed41-42ed47 1400->1405 1406 42efdc-42f1af call 40c75b call 405b76 call 405b1f call 405b76 call 43a00f call 40124d * 4 call 5d370f call 5b5946 call 401bab call 40c578 call 401bab call 43c227 call 4278ad 1400->1406 1409 42f1b4-42f1bd call 423af6 1405->1409 1410 42ed4d-42edd2 call 401962 1405->1410 1406->1409 1407->1408 1431 42e0c3-42e0c9 1408->1431 1432 42df94-42df9a 1408->1432 1427 42f1bf-42f1d6 1409->1427 1428 42f1dc-42f202 call 40124d * 2 1409->1428 1425 42edd4-42eddc 1410->1425 1426 42ede9-42ee2b call 401bab call 42c9eb call 40124d 1410->1426 1425->1426 1433 42edde-42ede3 call 4096a2 1425->1433 1479 42ee3c-42ee43 call 440d07 1426->1479 1480 42ee2d-42ee37 1426->1480 1427->1428 1428->1316 1428->1317 1438 42e112-42e118 1431->1438 1439 42e0cb-42e104 call 5d370f call 404ef6 1431->1439 1432->1438 1440 42dfa0-42dfe2 call 401bab call 42c9eb call 40124d 1432->1440 1433->1426 1449 42e755-42e75b 1438->1449 1450 42e11e-42e124 1438->1450 1474 42e109-42e10c 1439->1474 1440->1408 1512 42dfe8-42dfef call 440d07 1440->1512 1455 42e761-42e764 1449->1455 1456 42eccb-42ed19 call 40c75b call 43a00f call 40124d 1449->1456 1459 42e12a-42e1af call 401962 1450->1459 1460 42e749-42e74f 1450->1460 1464 42e76a-42e78c SetFileAttributesA CopyFileA 1455->1464 1465 42e95d-42e973 call 44a8a2 1455->1465 1456->1409 1486 42e1b1-42e1b9 1459->1486 1487 42e1c6-42e252 DeleteFileA call 401bab * 2 call 43c227 call 40258d call 40124d 1459->1487 1460->1449 1460->1456 1472 42e792-42e7a7 MoveFileExA 1464->1472 1473 42e8fa-42e958 call 40c75b call 43a00f call 40124d DeleteFileA call 401962 1464->1473 1499 42ea25-42ea2b 1465->1499 1500 42e979-42e99c 1465->1500 1482 42e7b7-42e881 call 401bab call 440c8a call 405b76 call 4277bd * 2 WritePrivateProfileStringA call 40124d * 4 1472->1482 1483 42e7a9-42e7ac 1472->1483 1473->1465 1474->1438 1527 42ef03 1479->1527 1528 42ee49-42ef01 call 401bab call 43c227 call 40258d call 40124d call 401bab call 43c227 MessageBoxA call 40124d 1479->1528 1490 42ef0d-42ef15 1480->1490 1505 42e886-42e8f8 call 401bab call 40c544 call 40c75b call 43a00f call 40124d 1482->1505 1483->1482 1493 42e7ae-42e7b1 1483->1493 1486->1487 1497 42e1bb-42e1c0 call 4096a2 1486->1497 1618 42e404-42e460 _strlen call 40181f call 401bab call 43c227 call 403c07 1487->1618 1619 42e258-42e259 1487->1619 1507 42ef76-42efbf call 40c75b call 43a00f call 40124d 1490->1507 1508 42ef17-42ef19 1490->1508 1493->1482 1493->1505 1497->1487 1509 42eac3-42ead7 call 4267ad 1499->1509 1510 42ea31-42ea51 SetFileAttributesA 1499->1510 1515 42e9b1-42e9c8 1500->1515 1516 42e99e-42e9ab __time64 1500->1516 1505->1465 1521 42efc4-42efca 1507->1521 1508->1521 1522 42ef1f-42ef2e call 403f67 1508->1522 1551 42eaeb-42eaf6 1509->1551 1552 42ead9-42eae3 call 4245b0 1509->1552 1529 42ea53-42ea83 call 40c75b call 43a00f 1510->1529 1530 42ea85-42eab1 call 40c75b call 43a00f 1510->1530 1512->1408 1562 42dff5-42e0ae call 401bab call 43c227 call 40258d call 40124d call 401bab call 43c227 MessageBoxA call 40124d 1512->1562 1524 42e9ca-42e9d7 __time64 1515->1524 1525 42e9dd-42e9f4 1515->1525 1516->1515 1521->1405 1545 42efd0-42efd6 1521->1545 1569 42ef30-42ef3b 1522->1569 1524->1525 1541 42e9f6-42ea03 __time64 1525->1541 1542 42ea09-42ea20 call 4cc8af 1525->1542 1527->1490 1528->1490 1590 42eab7-42eabe call 40124d 1529->1590 1530->1590 1541->1542 1542->1499 1545->1406 1545->1409 1551->1409 1570 42eafc-42eb02 1551->1570 1552->1551 1592 42eae5 1552->1592 1562->1408 1702 42e0b4-42e0be 1562->1702 1569->1521 1582 42ef41-42ef74 call 40379a call 404c81 1569->1582 1570->1409 1583 42eb08-42eb8e call 41c1b3 call 401962 * 3 call 420480 1570->1583 1582->1521 1689 42ecb7-42ecc6 call 41c211 1583->1689 1690 42eb94-42ebd7 call 401bab call 42c9eb call 40124d 1583->1690 1590->1509 1592->1551 1707 42e466-42e48a call 40124d call 42c9eb 1618->1707 1627 42e3a0-42e402 _strlen call 40181f call 401bab call 43c227 call 403c07 1619->1627 1628 42e25f-42e260 1619->1628 1627->1707 1637 42e266-42e269 1628->1637 1638 42e339-42e39b _strlen call 40181f call 401bab call 43c227 call 403c07 1628->1638 1646 42e2d2-42e334 _strlen call 40181f call 401bab call 43c227 call 403c07 1637->1646 1647 42e26b-42e2cd _strlen call 40181f call 401bab call 43c227 call 403c07 1637->1647 1638->1707 1646->1707 1647->1707 1689->1409 1690->1689 1725 42ebdd-42ec58 call 4b56a0 call 4015ec call 401bab call 43c227 call 40258d call 40124d call 440d07 1690->1725 1702->1408 1723 42e498-42e49f call 440d07 1707->1723 1724 42e48c-42e496 1707->1724 1733 42e4a1-42e4f6 call 401bab call 43c227 MessageBoxA call 40124d 1723->1733 1734 42e4f8 1723->1734 1728 42e502-42e50b 1724->1728 1781 42ec5a-42eca4 call 401bab call 43c227 MessageBoxA call 40124d 1725->1781 1782 42eca9-42ecb2 call 40124d 1725->1782 1731 42e511-42e512 1728->1731 1732 42e6a8 1728->1732 1736 42e72b-42e743 call 40124d 1731->1736 1737 42e518 1731->1737 1738 42e6ae-42e6bd call 403f67 1732->1738 1733->1728 1734->1728 1736->1450 1736->1460 1741 42e51e-42e52d call 403f67 1737->1741 1752 42e6bf-42e6ca 1738->1752 1755 42e52f-42e53a 1741->1755 1752->1736 1756 42e6cc-42e725 call 40379a call 5d370f call 404ef6 1752->1756 1755->1736 1759 42e540-42e56f call 40379a call 404c81 1755->1759 1756->1736 1775 42e674-42e697 call 5d370f 1759->1775 1776 42e575-42e5b7 call 401bab call 42c9eb call 40124d 1759->1776 1786 42e69d-42e6a3 1775->1786 1776->1786 1796 42e5bd-42e66f call 401bab call 43c227 call 40258d call 40124d call 401bab call 43c227 MessageBoxA call 40124d 1776->1796 1781->1782 1782->1689 1786->1736 1796->1736
                                                                                                                              APIs
                                                                                                                              • DeleteFileA.KERNEL32(?,?,006985B8,00000000,?,00000001,00000000,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042F218
                                                                                                                                • Part of subcall function 00440C8A: __EH_prolog3.LIBCMT ref: 00440C91
                                                                                                                              • _strlen.LIBCMT ref: 0042DE10
                                                                                                                                • Part of subcall function 00403C07: _strnlen.LIBCMT ref: 00403C37
                                                                                                                                • Part of subcall function 00403C07: _memcpy_s.LIBCMT ref: 00403C6B
                                                                                                                              • MessageBoxA.USER32(00000000,?,00000000,?), ref: 0042E08D
                                                                                                                              • DeleteFileA.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?), ref: 0042E1CC
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C22E
                                                                                                                              • _strlen.LIBCMT ref: 0042E270
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C2C6
                                                                                                                                • Part of subcall function 0040C75B: __EH_prolog3.LIBCMT ref: 0040C762
                                                                                                                                • Part of subcall function 0043A00F: __EH_prolog3.LIBCMT ref: 0043A016
                                                                                                                              • _strlen.LIBCMT ref: 0042E2D7
                                                                                                                              • _strlen.LIBCMT ref: 0042E33E
                                                                                                                              • _strlen.LIBCMT ref: 0042E3A5
                                                                                                                              • _strlen.LIBCMT ref: 0042E409
                                                                                                                              • MessageBoxA.USER32(?,?,00000000,?), ref: 0042E4DC
                                                                                                                              • MessageBoxA.USER32(?,?,00000000,?), ref: 0042E65B
                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,00000000,00000000,?,?), ref: 0042E773
                                                                                                                              • CopyFileA.KERNEL32(?,?), ref: 0042E784
                                                                                                                              • MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0042E79E
                                                                                                                              • WritePrivateProfileStringA.KERNEL32(Rename,?,?,?), ref: 0042E844
                                                                                                                              • DeleteFileA.KERNEL32(?,?), ref: 0042E948
                                                                                                                              • __time64.LIBCMT ref: 0042E99F
                                                                                                                                • Part of subcall function 005B5F5F: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00439F6A,00000000,00000010,00404C11,** [END] ProcessInBuffer !ReadFromDisk,00000001), ref: 005B5F6A
                                                                                                                                • Part of subcall function 005B5F5F: __aulldiv.LIBCMT ref: 005B5F8A
                                                                                                                                • Part of subcall function 0040C75B: _strlen.LIBCMT ref: 0040C79F
                                                                                                                                • Part of subcall function 00420480: __EH_prolog3.LIBCMT ref: 00420487
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C33E
                                                                                                                                • Part of subcall function 0043C227: lua_settop.LUA5.1(00000000,00000000,00000000,00000000,00000000,00000008,00404284,?,?,00000010,00000000,00000000,00000000,00000000,000000B8), ref: 0043C35B
                                                                                                                                • Part of subcall function 0043C227: lua_getfield.LUA5.1(00000000,FFFFD8EE,_tblErrorMessages,00000000,00000000,00000000,00000000,00000000,00000008,00404284,?,?,00000010,00000000,00000000,00000000), ref: 0043C36B
                                                                                                                                • Part of subcall function 0043C227: lua_pushnumber.LUA5.1(00000000), ref: 0043C37A
                                                                                                                                • Part of subcall function 0043C227: lua_pushstring.LUA5.1(00000000,00000000), ref: 0043C3A6
                                                                                                                                • Part of subcall function 0043C227: lua_settable.LUA5.1(00000000,000000FD), ref: 0043C3BB
                                                                                                                                • Part of subcall function 0043C227: lua_settop.LUA5.1(00000000,000000FE,00000000,000000FD), ref: 0043C3C3
                                                                                                                              • __time64.LIBCMT ref: 0042E9CB
                                                                                                                              • __time64.LIBCMT ref: 0042E9F7
                                                                                                                              • SetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 0042EA3D
                                                                                                                              • MessageBoxA.USER32(?,?,00000000,?), ref: 0042EC95
                                                                                                                              • MessageBoxA.USER32(?,?,00000000,?), ref: 0042EEE7
                                                                                                                                • Part of subcall function 0040C578: lua_getfield.LUA5.1(0000C264,FFFFD8EE,?,80000000,?,?,00403F08,?), ref: 0040C58C
                                                                                                                                • Part of subcall function 0040C578: lua_isnumber.LUA5.1(0000C264,000000FF,0000C264,FFFFD8EE,?,80000000,?,?,00403F08,?), ref: 0040C596
                                                                                                                                • Part of subcall function 0040C578: lua_tonumber.LUA5.1(0000C264,000000FF), ref: 0040C5A7
                                                                                                                                • Part of subcall function 0040C578: lua_remove.LUA5.1(0000C264,000000FF), ref: 0040C5BA
                                                                                                                                • Part of subcall function 004278AD: __EH_prolog3.LIBCMT ref: 004278B4
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0042F357
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$File$_strlen$Message$Delete__time64$AttributesTimelua_getfield.lua_settop.$CopyH_prolog3_MovePrivateProfileStringSystemWrite__aulldiv_memcpy_s_strnlenlua_isnumber.lua_pushnumber.lua_pushstring.lua_remove.lua_settable.lua_tonumber.
                                                                                                                              • String ID: (Reason: $%WindowsFolder%$%s%s$%sArc: %sFN: %s$%s%s (#%d)$%s (%d):%s$2$Archive file: $Change file attributes: $ERR_ARCHIVE_SKIPPING_FILE$ERR_CREATE_FOLDER$ERR_CREATE_UNINSTALL_ENTRY$ERR_DECOMPRESS_CRC$ERR_DECOMPRESS_DETECTED$ERR_DECOMPRESS_DISKFULL$ERR_DECOMPRESS_RW$ERR_DECOMPRESS_UNKNOWN$ERR_OPEN_OUTPUT$INSTALL_STAGE_INSTALLING_FILES$Install archive file: $MSG_ERROR$MSG_SEEKING$Protected archive file install on reboot: $Rename$Skip archive file: $\WININIT.INI$_NeedsReboot
                                                                                                                              • API String ID: 3390730035-3150782931
                                                                                                                              • Opcode ID: e327ddea02fd00c2b4687df090e967da394aee4382bb96065904e0c5718ecea9
                                                                                                                              • Instruction ID: be67d2dbf6f1b0989acd2558e84744010022f519b1aeefa7328327c6d6abd82d
                                                                                                                              • Opcode Fuzzy Hash: e327ddea02fd00c2b4687df090e967da394aee4382bb96065904e0c5718ecea9
                                                                                                                              • Instruction Fuzzy Hash: 64D28F70A00519DFDB24DB65CD91DEAB7BAAF49318F0001EEF189A7292DBB41AD0CF15
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0041EAE7 Relevance: 87.1, APIs: 15, Strings: 34, Instructions: 1339COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1811 41eae7-41eb59 call 401bab call 41e284 call 401bab call 40c544 1820 41f0c9-41f113 GetModuleFileNameA call 40258d call 4038de 1811->1820 1821 41eb5f-41eb8e call 401bab call 41e284 1811->1821 1830 41ffb3-41ffc4 call 4c09fd 1820->1830 1831 41f119-41f16b call 403bc0 call 401962 call 40124d call 405ab7 1820->1831 1832 41eb90-41eba1 call 4c09fd 1821->1832 1833 41ebb9-41ec0e call 403b71 call 401962 call 40124d GetFileAttributesA 1821->1833 1839 41ffc9-41fff9 call 40124d * 3 1830->1839 1861 41f170-41f277 GetModuleFileNameA call 485930 call 401bab call 44a06a call 4019b2 __splitpath_s call 4019b2 call 403d53 * 2 call 40258d call 4038de 1831->1861 1840 41eba6-41ebb4 call 40124d 1832->1840 1858 41ec10-41ec68 call 401bab call 40258d call 4c09fd call 40124d 1833->1858 1859 41ec6d-41ec83 call 4038de 1833->1859 1867 41fffc-420001 call 40124d 1839->1867 1840->1839 1858->1840 1870 41ec85-41ecdf call 403b71 call 401962 call 40124d call 405ab7 1859->1870 1871 41ece4-41ed39 GetModuleFileNameA call 4b56a0 call 4015ec call 40258d call 4038de 1859->1871 1923 41f2d0-41f306 call 401bab call 41e284 1861->1923 1924 41f279-41f2cb call 403bc0 call 401962 call 40124d call 405ab7 1861->1924 1882 420003-420008 call 5b528a 1867->1882 1870->1871 1906 41f0b3-41f0bf 1871->1906 1907 41ed3f-41edaf call 403bc0 call 401962 call 40124d call 401bab call 41e284 1871->1907 1906->1820 1932 41edb1-41edd5 call 4c09fd call 40124d 1907->1932 1933 41edda-41ee5b call 403b71 call 5b8a7e call 40124d call 401bab call 41e284 1907->1933 1940 41f313-41f345 call 4b56a0 call 4015ec call 4b56a0 call 4015ec 1923->1940 1941 41f308-41f30d 1923->1941 1924->1923 1932->1933 1966 41eeba-41eeee call 401bab call 41e284 1933->1966 1967 41ee5d-41ee71 call 40c4ce 1933->1967 1964 41f51b-41f540 _strlen call 40181f 1940->1964 1965 41f34b-41f3c4 _strlen call 40181f call 41d266 call 401bab call 41e284 call 401962 call 40124d 1940->1965 1941->1940 1978 41f542-41f553 call 4c09fd 1964->1978 1979 41f596-41f5e4 call 403b71 call 4014a6 call 41c9d7 1964->1979 2043 41f3c6-41f3e6 call 401bab call 40c544 1965->2043 2044 41f3eb-41f42d call 5d370f call 4014a6 call 41d6a7 1965->2044 1986 41eef0-41ef00 call 4c09fd 1966->1986 1987 41ef26-41ef39 call 40c4ce 1966->1987 1967->1966 1980 41ee73-41eeb5 call 403b71 call 401962 call 40124d 1967->1980 1990 41f558-41f591 call 40124d * 3 call 5235b5 1978->1990 2021 41f633-41f7a3 call 4014a6 call 401bab call 41dd58 call 401bab call 41dc12 call 401bab call 40c505 call 4014a6 call 401bab call 41dd58 call 401bab call 41dc12 call 401bab call 40c505 call 4b56a0 call 4015ec 1979->2021 2022 41f5e6-41f62e call 40c75b call 4c09fd call 40124d * 2 1979->2022 1980->1966 1999 41ef05-41ef21 call 40124d * 2 1986->1999 2005 41ef3b-41ef89 call 403b71 call 5b678f call 40231b call 40124d 1987->2005 2006 41ef8e-41efc2 call 401bab call 41e284 1987->2006 1990->1839 1999->1987 2005->2006 2040 41efc4-41efe7 call 4c09fd call 40124d 2006->2040 2041 41efec-41efff call 40c4ce 2006->2041 2176 41f7a5-41f7aa call 4012ee 2021->2176 2177 41f7af-41f7b2 2021->2177 2022->1990 2040->1999 2062 41f001-41f051 call 403b71 call 5b8a7e call 40124d 2041->2062 2063 41f056-41f0ae call 40124d * 6 2041->2063 2043->2044 2078 41f432-41f434 2044->2078 2062->2063 2063->1861 2083 41f4ca-41f516 call 405b76 call 401962 call 40124d call 41d26f 2078->2083 2084 41f43a-41f4c5 call 4c09fd call 41d26f call 40124d * 3 call 5235b5 call 40124d * 3 2078->2084 2120 41f911-41f91a 2083->2120 2084->1867 2124 41f920-41f92a GetFileAttributesA 2120->2124 2125 41ff6f-41ffaa call 40c75b call 405b76 2120->2125 2124->2125 2126 41f930-41f93e call 406952 2124->2126 2125->1830 2139 41f940-41f997 call 40c75b call 405b76 call 4c09fd call 40124d 2126->2139 2140 41f9bb-41f9eb call 401bab call 40c544 2126->2140 2180 41f99d-41f9b3 call 40124d * 2 2139->2180 2160 41f9f2-41f9f8 2140->2160 2161 41f9ed-41f9f0 2140->2161 2165 41fccf-41fcd6 call 440d07 2160->2165 2166 41f9fe-41fa01 2160->2166 2161->2160 2164 41fa07-41fa58 call 401bab call 41e284 call 401962 call 40124d 2161->2164 2214 41faa3-41faf3 call 401bab call 40c544 call 401bab call 40c5d4 2164->2214 2215 41fa5a-41fa62 2164->2215 2178 41fcd8-41fce0 2165->2178 2179 41fcfb-41fd03 2165->2179 2166->2164 2166->2165 2176->2177 2185 41f7b4-41f7b8 2177->2185 2186 41f7ed-41f7fb call 403bc0 2177->2186 2183 41fce2-41fcf3 2178->2183 2184 41fcf5 2178->2184 2187 41fd09-41fd87 call 4014a6 call 41dc12 call 401962 call 40124d call 405ab7 2179->2187 2188 41fd8c-41fde8 call 4014a6 call 453999 call 4b3c8a 2179->2188 2180->2140 2183->2179 2184->2179 2185->2176 2193 41f7ba-41f7be 2185->2193 2205 41f7ff-41f818 call 401962 call 40124d 2186->2205 2187->2188 2232 41fdf5 2188->2232 2233 41fdea-41fdf3 call 4b0608 2188->2233 2193->2186 2200 41f7c0-41f7cc call 40c49b 2193->2200 2218 41f81d-41f90b call 4014a6 call 401bab call 41dd58 call 401bab call 41dc12 call 401bab call 40c505 call 401962 * 2 call 40124d * 2 2200->2218 2219 41f7ce-41f7eb call 403bc0 2200->2219 2205->2218 2214->2165 2265 41faf9-41fafc 2214->2265 2222 41fa64-41fa6a 2215->2222 2223 41fa6c 2215->2223 2218->2120 2219->2205 2230 41fa72 2222->2230 2223->2230 2230->2165 2238 41fa78-41fa9e call 401bab call 40c544 2230->2238 2236 41fdf7-41fe3c GetDesktopWindow call 4bbea4 call 401ef1 2232->2236 2233->2236 2261 41fe4c-41fe78 call 4bbea4 call 4b8b6d call 4b894d 2236->2261 2262 41fe3e-41fe4a call 4c09fd 2236->2262 2238->2165 2274 41fe7d-41fe94 call 4b3c8a 2261->2274 2262->2274 2265->2176 2269 41fb02-41fb06 2265->2269 2269->2165 2273 41fb0c-41fb4d call 4b56a0 call 4015ec call 403b71 GetFileAttributesA 2269->2273 2303 41fb53-41fbd7 call 4014a6 call 405ab7 call 40c75b call 403c07 call 40124d GetFileAttributesA 2273->2303 2304 41fc67-41fc74 call 401962 2273->2304 2284 41fea1 2274->2284 2285 41fe96-41fe98 call 41031a 2274->2285 2289 41fea3-41fec0 2284->2289 2292 41fe9d-41fe9f 2285->2292 2293 41fec2 2289->2293 2294 41fec8-41feca 2289->2294 2292->2289 2293->2294 2297 41fed0 2294->2297 2298 41fecc-41fece 2294->2298 2301 41fed2-41ff0b call 4b894d UpdateWindow PostMessageA call 40124d 2297->2301 2298->2301 2320 41ff10-41ff6a call 40124d * 2 call 5235b5 call 40124d * 4 2301->2320 2339 41fc41-41fc65 call 401962 call 40124d 2303->2339 2340 41fbd9-41fc3c call 40c75b call 4c09fd call 40124d * 3 2303->2340 2311 41fc79-41fcca call 4014a6 call 41e378 call 40124d * 2 2304->2311 2311->2165 2320->1882 2339->2311 2340->2180
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0041E284: __EH_prolog3.LIBCMT ref: 0041E28B
                                                                                                                                • Part of subcall function 0040C544: lua_pushboolean.LUA5.1(?,?), ref: 0040C550
                                                                                                                                • Part of subcall function 0040C544: lua_setfield.LUA5.1(?,FFFFD8EE,?,?,?), ref: 0040C560
                                                                                                                              • GetFileAttributesA.KERNEL32(026D82D8), ref: 0041EC05
                                                                                                                              • __wcstoui64.LIBCMT ref: 0041EDF9
                                                                                                                                • Part of subcall function 005B8A7E: strtoxq.LIBCMT ref: 005B8AA0
                                                                                                                              • __wcstoui64.LIBCMT ref: 0041F029
                                                                                                                              • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0041ECF2
                                                                                                                                • Part of subcall function 00405AB7: __mbsinc.LIBCMT ref: 00405AF2
                                                                                                                              • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0041F0D7
                                                                                                                              • GetModuleFileNameA.KERNEL32(?,?,00000104,?,00000000), ref: 0041F179
                                                                                                                              • __splitpath_s.LIBCMT ref: 0041F1F8
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: File$ModuleName$H_prolog3__wcstoui64$Attributes__mbsinc__splitpath_slua_pushboolean.lua_setfield.strtoxq
                                                                                                                              • String ID: data file$%$%SourceDrive%$%SourceFilename%$%SourceFolder%$/NOINIT$/U:$Failed self extraction$Failed to create debug window.$Failed to find $Failed to load $Invalid archive filename:%s$Invalid module name.$Invalid silent install INI file: $Invalid start mode: archive filename$Invalid start mode: archive offset$Invalid start mode: compression type$Invalid start mode: total setup size$Invalid uninstall command line option$Invalid uninstall control file: $\irsetup.dat$_DoingUninstall$_SilentInstall$_SourceDrive$_SourceFilename$_SourceFolder$__IRAFN:$__IRAOFF:$__IRCT:$__IRSID:$__IRTSS:$lua5.1.dll$setup$uninstall
                                                                                                                              • API String ID: 177417289-1994103235
                                                                                                                              • Opcode ID: dc288f7a2336766facf79945055fdb89966d8686703062756b31738f359e0a8c
                                                                                                                              • Instruction ID: a99f083a8b83a8050169faedbcc45fe2e92807e0d520c38b856cede29d7271bf
                                                                                                                              • Opcode Fuzzy Hash: dc288f7a2336766facf79945055fdb89966d8686703062756b31738f359e0a8c
                                                                                                                              • Instruction Fuzzy Hash: 5DC276B09001489FDB14EB69CD91BAD77B9AF45328F4441EEF115A72D2CB385E84CB2E
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0042AB68 Relevance: 81.5, APIs: 20, Strings: 26, Instructions: 957windowfilestringCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 2363 42ab68-42ac53 __EH_prolog3_GS call 4b56a0 call 4015ec call 4c200c call 4b56a0 call 4015ec call 4b56a0 call 4015ec call 4019b2 2380 42ac55 2363->2380 2381 42aca9-42acb3 call 44a8a2 2363->2381 2383 42ac5a-42ac81 call 4019b2 call 40124d * 2 2380->2383 2384 42acb8-42acbc 2381->2384 2403 42ac83-42aca6 call 4c213c call 40124d call 5b528a 2383->2403 2386 42acbe-42acdd call 40124d * 2 2384->2386 2387 42acdf-42ace8 call 44de68 2384->2387 2386->2403 2395 42acf4-42ad68 call 4014a6 call 440c8a call 401962 call 40124d call 405ab7 2387->2395 2396 42acea-42acef 2387->2396 2418 42b067-42b095 call 4239c5 2395->2418 2419 42ad6e-42ad98 lstrcpy call 4b3b8a 2395->2419 2396->2383 2424 42b097-42b09a 2418->2424 2425 42b0bd-42b0d9 call 4b0731 2418->2425 2419->2418 2426 42ad9e-42adad call 5b4b83 2419->2426 2424->2425 2427 42b09c-42b0b7 call 4239c5 2424->2427 2435 42b0f0-42b115 call 423a42 2425->2435 2436 42b0db-42b0e1 2425->2436 2426->2418 2434 42adb3-42adec call 4b3b84 73EE1500 2426->2434 2427->2425 2441 42adee-42ae35 call 5b4710 2434->2441 2442 42ae3f-42ae51 call 5b4c17 2434->2442 2443 42b11b-42b121 2435->2443 2444 42af0d-42af13 2435->2444 2436->2435 2441->2442 2442->2418 2459 42ae57-42ae7e 2442->2459 2443->2444 2447 42b286-42b28c 2444->2447 2448 42af19-42af1a 2444->2448 2449 42b294-42b29a 2447->2449 2450 42b28e 2447->2450 2453 42b272-42b278 2448->2453 2454 42af20-42af21 2448->2454 2457 42b2a2-42b2a8 2449->2457 2458 42b29c 2449->2458 2450->2449 2455 42b27e-42b284 2453->2455 2456 42b12c-42b137 call 4019b2 2453->2456 2454->2455 2460 42af27-42af28 2454->2460 2463 42b2ae-42b2b1 2455->2463 2474 42b13c-42b158 call 40124d * 2 2456->2474 2457->2456 2457->2463 2458->2457 2464 42ae80-42ae89 2459->2464 2465 42aeac-42aeb3 2459->2465 2461 42b126 2460->2461 2462 42af2e-42af2f 2460->2462 2461->2456 2467 42b163-42b202 call 401bab call 43c227 call 401bab call 43c227 call 40258d call 40124d * 2 call 440d07 2462->2467 2468 42af35-42af36 2462->2468 2471 42b5b7-42b5ba 2463->2471 2472 42b2b7-42b340 call 4014a6 call 4248b9 call 401962 call 40124d call 401bab call 40d56a 2463->2472 2464->2465 2473 42ae8b-42ae94 2464->2473 2469 42aeb5 2465->2469 2470 42aebf 2465->2470 2467->2456 2596 42b208-42b267 call 401bab call 43c227 MessageBoxA call 40124d 2467->2596 2468->2456 2476 42af3c-42af42 2468->2476 2469->2470 2477 42aec1-42aecc 2470->2477 2478 42af0a-42af0c 2470->2478 2479 42b5c0-42b6cf GetTempFileNameA call 401962 call 4019b2 * 2 call 40c75b call 405b76 call 405b1f call 405b76 call 43a00f call 40124d * 4 SetFileAttributesA DeleteFileA 2471->2479 2480 42b6d4-42b6f8 SetFileAttributesA call 4c2494 2471->2480 2559 42b346-42b350 GetFileAttributesA 2472->2559 2560 42b45d-42b472 call 4247bd 2472->2560 2473->2465 2483 42ae96-42ae9f 2473->2483 2474->2467 2476->2455 2485 42af48-42afe7 call 401bab call 43c227 call 401bab call 43c227 call 40258d call 40124d * 2 call 440d07 2476->2485 2486 42aed8 2477->2486 2487 42aece 2477->2487 2478->2444 2479->2474 2507 42b6fe-42b74d call 40c75b call 43a00f call 40124d 2480->2507 2508 42ba6c-42ba89 call 4c1fa7 DeleteFileA 2480->2508 2483->2465 2492 42aea1-42aeaa 2483->2492 2485->2456 2614 42afed-42b04c call 401bab call 43c227 MessageBoxA call 40124d 2485->2614 2486->2478 2496 42aeda-42aee5 2486->2496 2487->2486 2492->2444 2503 42aef1 2496->2503 2504 42aee7 2496->2504 2503->2478 2512 42aef3-42aefe 2503->2512 2504->2503 2545 42b862-42b89a GetTempFileNameA MoveFileExA 2507->2545 2546 42b753-42b7f2 call 401bab call 43c227 call 401bab call 43c227 call 40258d call 40124d * 2 call 440d07 2507->2546 2508->2474 2512->2478 2520 42af00 2512->2520 2520->2478 2550 42b8aa-42b974 call 401bab call 440c8a call 405b76 call 4277bd * 2 WritePrivateProfileStringA call 40124d * 4 2545->2550 2551 42b89c-42b89f 2545->2551 2689 42b7f4-42b849 call 401bab call 43c227 MessageBoxA call 40124d 2546->2689 2690 42b84b 2546->2690 2566 42b979-42ba67 call 40c75b call 405b76 * 3 call 43a00f call 40124d * 4 call 4019b2 call 401bab call 40c544 2550->2566 2551->2550 2557 42b8a1-42b8a4 2551->2557 2557->2550 2557->2566 2568 42b352-42b37f call 4014a6 call 44baf2 2559->2568 2569 42b380-42b38f GetFileAttributesA 2559->2569 2582 42b518-42b59a call 40c75b call 405b76 call 405b1f call 43a00f call 40124d * 3 2560->2582 2583 42b478-42b513 call 401962 call 40c75b call 405b76 call 405b1f call 43a00f call 40124d * 3 2560->2583 2566->2474 2568->2569 2569->2560 2580 42b395-42b458 call 4014a6 call 405ab7 _strlen call 403c07 * 2 call 4014a6 call 4248b9 call 401962 call 40124d * 2 2569->2580 2580->2560 2705 42b59f-42b5b1 call 40124d 2582->2705 2583->2705 2596->2456 2663 42b26d 2596->2663 2614->2461 2680 42b052-42b062 2614->2680 2663->2453 2680->2463 2700 42b855-42b85c 2689->2700 2690->2700 2700->2480 2700->2545 2705->2471
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0042AB72
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                                • Part of subcall function 0044DE68: LoadLibraryA.KERNEL32(Sfc.dll,?,?), ref: 0044DE8D
                                                                                                                                • Part of subcall function 0044DE68: GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 0044DEA4
                                                                                                                                • Part of subcall function 0044DE68: _memset.LIBCMT ref: 0044DEC6
                                                                                                                                • Part of subcall function 0044DE68: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104,?,?,?), ref: 0044DEE1
                                                                                                                                • Part of subcall function 0044DE68: FreeLibrary.KERNEL32(?,?,?), ref: 0044DF01
                                                                                                                              • lstrcpy.KERNEL32(?,?), ref: 0042AD77
                                                                                                                              • _malloc.LIBCMT ref: 0042AD9F
                                                                                                                              • 73EE1500.VERSION(?,00698DAC,?,?,?,?,?,00000000,?,?,?,000000A8,?,00000020,0042D4B5,00000000), ref: 0042ADE5
                                                                                                                              • _memmove.LIBCMT ref: 0042ADFD
                                                                                                                              • _free.LIBCMT ref: 0042AE45
                                                                                                                              • MessageBoxA.USER32(00000000,?,00000000,?), ref: 0042B028
                                                                                                                              • MessageBoxA.USER32(00000000,?,00000000,?), ref: 0042B243
                                                                                                                              • GetFileAttributesA.KERNEL32(?,?,000003CC,?,?,?,?,00000000,00000000,00000000,00000001,006985B8,00000000,00000000,00000000,000003CC), ref: 0042B347
                                                                                                                              • GetFileAttributesA.KERNEL32(?,?,000000A8,?,00000020,0042D4B5,00000000,?,00000000,00000000,?,?,00000004,00000000,00000000,00000000), ref: 0042B386
                                                                                                                              • _strlen.LIBCMT ref: 0042B3C8
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                                • Part of subcall function 0044BAF2: __EH_prolog3_GS.LIBCMT ref: 0044BAFC
                                                                                                                                • Part of subcall function 0044BAF2: GetCurrentDirectoryA.KERNEL32(00000104,?,0000005C,0000005C), ref: 0044BB48
                                                                                                                                • Part of subcall function 0044BAF2: _memset.LIBCMT ref: 0044BB64
                                                                                                                                • Part of subcall function 0044BAF2: SetCurrentDirectoryA.KERNEL32(?), ref: 0044BBC9
                                                                                                                                • Part of subcall function 0044BAF2: CreateDirectoryA.KERNEL32(?,00000000), ref: 0044BBDB
                                                                                                                                • Part of subcall function 0044BAF2: SetCurrentDirectoryA.KERNEL32(?), ref: 0044BCBD
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C22E
                                                                                                                              • GetTempFileNameA.KERNEL32(?,suf,00000000,?,?,?,?,?,00000000,00000000,00000000,00000001,006985B8,00000000,00000000,00000000), ref: 0042B5D3
                                                                                                                              • SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,00000000,00000000,?,00000020,0042D4B5,00000000,?,00000000,00000000,?,?,00000004), ref: 0042B6C1
                                                                                                                              • DeleteFileA.KERNEL32(?,?,00000020,0042D4B5,00000000,?,00000000,00000000,?,?,00000004,00000000,00000000,00000000,00000000), ref: 0042B6C9
                                                                                                                                • Part of subcall function 004248B9: __EH_prolog3.LIBCMT ref: 004248C0
                                                                                                                                • Part of subcall function 004248B9: _strlen.LIBCMT ref: 00424925
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0040D56A: __EH_prolog3.LIBCMT ref: 0040D571
                                                                                                                                • Part of subcall function 0040D56A: lua_getfield.LUA5.1(?,FFFFD8EE,?,?,?,?,?,00000004), ref: 0040D59D
                                                                                                                                • Part of subcall function 0040D56A: lua_isstring.LUA5.1(?,000000FF,?,FFFFD8EE,?,?,?,?,?,00000004), ref: 0040D5A7
                                                                                                                                • Part of subcall function 0040D56A: lua_tolstring.LUA5.1(?,000000FF,00000000), ref: 0040D5BA
                                                                                                                                • Part of subcall function 0040D56A: lua_remove.LUA5.1(?,000000FF), ref: 0040D5D0
                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,00000000,00000000,00000000,00000001,006985B8,00000000,00000000,00000000,000003CC), ref: 0042B6DC
                                                                                                                              • MessageBoxA.USER32(00000000,?,00000000,?), ref: 0042B82F
                                                                                                                                • Part of subcall function 00405B76: __EH_prolog3.LIBCMT ref: 00405B7D
                                                                                                                                • Part of subcall function 0043A00F: __EH_prolog3.LIBCMT ref: 0043A016
                                                                                                                                • Part of subcall function 0040C544: lua_pushboolean.LUA5.1(?,?), ref: 0040C550
                                                                                                                                • Part of subcall function 0040C544: lua_setfield.LUA5.1(?,FFFFD8EE,?,?,?), ref: 0040C560
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C33E
                                                                                                                                • Part of subcall function 0043C227: lua_settop.LUA5.1(00000000,00000000,00000000,00000000,00000000,00000008,00404284,?,?,00000010,00000000,00000000,00000000,00000000,000000B8), ref: 0043C35B
                                                                                                                                • Part of subcall function 0043C227: lua_getfield.LUA5.1(00000000,FFFFD8EE,_tblErrorMessages,00000000,00000000,00000000,00000000,00000000,00000008,00404284,?,?,00000010,00000000,00000000,00000000), ref: 0043C36B
                                                                                                                                • Part of subcall function 0043C227: lua_pushnumber.LUA5.1(00000000), ref: 0043C37A
                                                                                                                                • Part of subcall function 0043C227: lua_pushstring.LUA5.1(00000000,00000000), ref: 0043C3A6
                                                                                                                                • Part of subcall function 0043C227: lua_settable.LUA5.1(00000000,000000FD), ref: 0043C3BB
                                                                                                                                • Part of subcall function 0043C227: lua_settop.LUA5.1(00000000,000000FE,00000000,000000FD), ref: 0043C3C3
                                                                                                                              • GetTempFileNameA.KERNEL32(?,suf,00000000,?), ref: 0042B87F
                                                                                                                              • MoveFileExA.KERNEL32(?,00000000,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0042B891
                                                                                                                              • WritePrivateProfileStringA.KERNEL32(Rename,?,?,?), ref: 0042B937
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C2C6
                                                                                                                              • DeleteFileA.KERNEL32(?,00000000,0000B011,00000000,?,000000A8,?,00000020,0042D4B5,00000000,?,00000000,00000000,?,?,00000004), ref: 0042BA79
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: File$H_prolog3$AttributesDirectory$CurrentMessage_strlen$DeleteH_prolog3_LibraryNameTemp_memsetlua_getfield.lua_settop.$AddressByteCharCreateE1500FreeLoadMoveMultiPrivateProcProfileStringWideWrite_free_malloc_memcpy_s_memmovelstrcpylua_isstring.lua_pushboolean.lua_pushnumber.lua_pushstring.lua_remove.lua_setfield.lua_settable.lua_tolstring.
                                                                                                                              • String ID: $ (Source = $ (Temporary filename = $ -> $%WindowsFolder%$%s%s%s$%s%s%s$Archive file rollback: $Backup existing file: $Conditions not met$Existing file overwrite setting$Existing file protected$File Backup$File in use: $Install archive file on reboot: $MSG_FILE_EXISTS_ANY$MSG_FILE_EXISTS_INUSE$MSG_FILE_EXISTS_NEWER$MSG_FILE_EXISTS_RETRY$MSG_FILE_OVERWRITE_CONFIRM$MSG_NOTICE$Rename$\WININIT.INI$_BackupFolder$_NeedsReboot$suf
                                                                                                                              • API String ID: 2557053154-113856596
                                                                                                                              • Opcode ID: 48647e8b7170630651c0aa81596e7be06ffa89b39cf9db55876972c8941b1872
                                                                                                                              • Instruction ID: 48a4e17a3933be2d80fa469476d7b5e5f718224a2ecb3c2eb4efe231d4973dd2
                                                                                                                              • Opcode Fuzzy Hash: 48647e8b7170630651c0aa81596e7be06ffa89b39cf9db55876972c8941b1872
                                                                                                                              • Instruction Fuzzy Hash: F9925D70A002189FDB26EBA5CC51AADB7BDAF05318F4041DEF159A7292CB785F80CF65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004D720B Relevance: 64.8, APIs: 43, Instructions: 304COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 2724 4d720b-4d722a __EH_prolog3 GetSysColor 2725 4d722c-4d7232 GetSysColor 2724->2725 2726 4d7237 2724->2726 2725->2726 2727 4d7234-4d7235 2725->2727 2728 4d7239-4d7245 GetSysColor 2726->2728 2727->2728 2729 4d7254 2728->2729 2730 4d7247-4d724d GetSysColor 2728->2730 2732 4d7256-4d7335 call 4b7d0b GetDeviceCaps GetSysColor * 21 2729->2732 2730->2729 2731 4d724f-4d7252 2730->2731 2731->2732 2735 4d7337-4d7340 2732->2735 2736 4d7342-4d734d GetSysColor 2732->2736 2737 4d7354-4d736d GetSysColorBrush 2735->2737 2736->2737 2738 4d736f call 4b4c5c 2737->2738 2739 4d7374-4d7384 GetSysColorBrush 2737->2739 2738->2739 2739->2738 2741 4d7386-4d7396 GetSysColorBrush 2739->2741 2741->2738 2742 4d7398-4d74d9 call 4b7f10 CreateSolidBrush call 4b7eb6 call 4b7f10 CreateSolidBrush call 4b7eb6 call 4b7f10 CreateSolidBrush call 4b7eb6 call 4b7f10 CreateSolidBrush call 4b7eb6 call 4b7f10 CreateSolidBrush call 4b7eb6 call 4b7f10 CreateSolidBrush call 4b7eb6 call 4b7f10 CreateSolidBrush call 4b7eb6 call 4b7f10 CreatePen call 4b7eb6 call 4b7f10 CreatePen call 4b7eb6 call 4b7f10 CreatePen call 4b7eb6 2741->2742 2783 4d74e8-4d74ef 2742->2783 2784 4d74db-4d74df 2742->2784 2785 4d74f1-4d754c CreateSolidBrush call 4b7eb6 2783->2785 2786 4d7553-4d7566 call 4d62b9 2783->2786 2784->2783 2787 4d74e1-4d74e3 call 4b7f10 2784->2787 2791 4d7551 2785->2791 2786->2738 2794 4d756c-4d75a0 call 4b7eb6 CreatePatternBrush call 4b7eb6 call 4025a1 2786->2794 2787->2783 2793 4d75a5-4d75c5 call 50e7b8 call 4b7d5f call 5b5276 2791->2793 2794->2793
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004D7212
                                                                                                                              • GetSysColor.USER32(00000016), ref: 004D7221
                                                                                                                              • GetSysColor.USER32(0000000F), ref: 004D722E
                                                                                                                              • GetSysColor.USER32(00000015), ref: 004D7241
                                                                                                                              • GetSysColor.USER32(0000000F), ref: 004D7249
                                                                                                                              • GetDeviceCaps.GDI32(?,0000000C), ref: 004D726F
                                                                                                                              • GetSysColor.USER32(0000000F), ref: 004D727D
                                                                                                                              • GetSysColor.USER32(00000010), ref: 004D7287
                                                                                                                              • GetSysColor.USER32(00000015), ref: 004D7291
                                                                                                                              • GetSysColor.USER32(00000016), ref: 004D729B
                                                                                                                              • GetSysColor.USER32(00000014), ref: 004D72A5
                                                                                                                              • GetSysColor.USER32(00000012), ref: 004D72AF
                                                                                                                              • GetSysColor.USER32(00000011), ref: 004D72B9
                                                                                                                              • GetSysColor.USER32(00000006), ref: 004D72C0
                                                                                                                              • GetSysColor.USER32(0000000D), ref: 004D72C7
                                                                                                                              • GetSysColor.USER32(0000000E), ref: 004D72CE
                                                                                                                              • GetSysColor.USER32(00000005), ref: 004D72D5
                                                                                                                              • GetSysColor.USER32(00000008), ref: 004D72DF
                                                                                                                              • GetSysColor.USER32(00000009), ref: 004D72E6
                                                                                                                              • GetSysColor.USER32(00000007), ref: 004D72ED
                                                                                                                              • GetSysColor.USER32(00000002), ref: 004D72F4
                                                                                                                              • GetSysColor.USER32(00000003), ref: 004D72FB
                                                                                                                              • GetSysColor.USER32(0000001B), ref: 004D7302
                                                                                                                              • GetSysColor.USER32(0000001C), ref: 004D730C
                                                                                                                              • GetSysColor.USER32(0000000A), ref: 004D7316
                                                                                                                              • GetSysColor.USER32(0000000B), ref: 004D7320
                                                                                                                              • GetSysColor.USER32(00000013), ref: 004D732A
                                                                                                                              • GetSysColor.USER32(0000001A), ref: 004D7344
                                                                                                                              • GetSysColorBrush.USER32(00000010), ref: 004D735F
                                                                                                                              • GetSysColorBrush.USER32(00000014), ref: 004D7376
                                                                                                                              • GetSysColorBrush.USER32(00000005), ref: 004D7388
                                                                                                                              • CreateSolidBrush.GDI32(?), ref: 004D73AC
                                                                                                                              • CreateSolidBrush.GDI32(?), ref: 004D73C8
                                                                                                                              • CreateSolidBrush.GDI32(?), ref: 004D73E4
                                                                                                                              • CreateSolidBrush.GDI32(?), ref: 004D7400
                                                                                                                              • CreateSolidBrush.GDI32(?), ref: 004D741C
                                                                                                                              • CreateSolidBrush.GDI32(?), ref: 004D7438
                                                                                                                              • CreateSolidBrush.GDI32(?), ref: 004D7454
                                                                                                                              • CreatePen.GDI32(00000000,00000001,00000000), ref: 004D747D
                                                                                                                              • CreatePen.GDI32(00000000,00000001,00000000), ref: 004D74A0
                                                                                                                              • CreatePen.GDI32(00000000,00000001,00000000), ref: 004D74C3
                                                                                                                              • CreateSolidBrush.GDI32(?), ref: 004D7547
                                                                                                                              • CreatePatternBrush.GDI32(00000000), ref: 004D7588
                                                                                                                                • Part of subcall function 004B7F10: DeleteObject.GDI32(00000000), ref: 004B7F1F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3754413814-0
                                                                                                                              • Opcode ID: 78787f3655faeb4413d688779a0f1af4147f5aa6aaff11e147570f6b1f99c44f
                                                                                                                              • Instruction ID: 5a7851490d64099118b5ebcb44374de2ec153e31cf57f48783afeef94ba797fc
                                                                                                                              • Opcode Fuzzy Hash: 78787f3655faeb4413d688779a0f1af4147f5aa6aaff11e147570f6b1f99c44f
                                                                                                                              • Instruction Fuzzy Hash: 08B17070904B459ED734EF76CC96BEBBBE5AF80300F00492EE19786691EB79A504DF24
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0041A0B2 Relevance: 58.5, APIs: 1, Strings: 32, Instructions: 720COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 2806 41a0b2-41a201 __EH_prolog3 call 401bab * 2 call 409e02 call 4014a6 call 401bab call 41dd58 call 4014a6 call 401bab call 41dd58 call 401bab * 2 call 40258d call 4450e5 call 4449c8 call 4454da call 445507 2839 41a207-41a21b call 445632 2806->2839 2840 41a69a-41a6db call 401bab call 41d8d1 call 401bab call 41dd58 2806->2840 2839->2840 2846 41a221-41a263 call 401bab call 445f5e call 401962 call 40124d 2839->2846 2858 41a6e0-41a6e4 2840->2858 2867 41a2a0-41a2e2 call 401bab call 445f5e call 401962 call 40124d 2846->2867 2868 41a265-41a29d call 4014a6 call 401bab call 41dd58 2846->2868 2860 41a724-41a728 2858->2860 2861 41a6e6-41a71f call 401bab call 41d8d1 call 401bab call 41dd58 2858->2861 2862 41a768-41a76c 2860->2862 2863 41a72a-41a763 call 401bab call 41d8d1 call 401bab call 41dd58 2860->2863 2861->2860 2869 41a7ac-41a7b0 2862->2869 2870 41a76e-41a7a7 call 401bab call 41d8d1 call 401bab call 41dd58 2862->2870 2863->2862 2945 41a2e4-41a31c call 4014a6 call 401bab call 41dd58 2867->2945 2946 41a31f-41a361 call 401bab call 445f5e call 401962 call 40124d 2867->2946 2868->2867 2874 41a7f0-41a7f4 2869->2874 2875 41a7b2-41a7eb call 401bab call 41d8d1 call 401bab call 41dd58 2869->2875 2870->2869 2883 41a834-41a838 2874->2883 2884 41a7f6-41a82f call 401bab call 41d8d1 call 401bab call 41dd58 2874->2884 2875->2874 2893 41a878-41a87c 2883->2893 2894 41a83a-41a873 call 401bab call 41d8d1 call 401bab call 41dd58 2883->2894 2884->2883 2899 41a8bc-41a8c0 2893->2899 2900 41a87e-41a8b7 call 401bab call 41d8d1 call 401bab call 41dd58 2893->2900 2894->2893 2911 41a900-41a93d call 444abd call 40124d * 4 call 5b5276 2899->2911 2912 41a8c2-41a8fb call 401bab call 41d8d1 call 401bab call 41dd58 2899->2912 2900->2899 2912->2911 2945->2946 2977 41a363-41a39b call 4014a6 call 401bab call 41dd58 2946->2977 2978 41a39e-41a3e0 call 401bab call 445f5e call 401962 call 40124d 2946->2978 2977->2978 2993 41a3e2-41a41a call 4014a6 call 401bab call 41dd58 2978->2993 2994 41a41d-41a45f call 401bab call 445f5e call 401962 call 40124d 2978->2994 2993->2994 3009 41a461-41a499 call 4014a6 call 401bab call 41dd58 2994->3009 3010 41a49c-41a4de call 401bab call 445f5e call 401962 call 40124d 2994->3010 3009->3010 3025 41a4e0-41a518 call 4014a6 call 401bab call 41dd58 3010->3025 3026 41a51b-41a55d call 401bab call 445f5e call 401962 call 40124d 3010->3026 3025->3026 3041 41a59a-41a5dc call 401bab call 445f5e call 401962 call 40124d 3026->3041 3042 41a55f-41a597 call 4014a6 call 401bab call 41dd58 3026->3042 3057 41a619-41a633 call 401bab call 445f5e 3041->3057 3058 41a5de-41a616 call 4014a6 call 401bab call 41dd58 3041->3058 3042->3041 3065 41a638-41a65b call 401962 call 40124d 3057->3065 3058->3057 3073 41a694-41a698 3065->3073 3074 41a65d-41a691 call 4014a6 call 401bab call 41dd58 3065->3074 3073->2840 3075 41a6dd-41a6df 3073->3075 3074->3073 3075->2858
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0041A0B9
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 00409E02: ConvertStringSidToSidA.ADVAPI32(?,?), ref: 00409E19
                                                                                                                                • Part of subcall function 00409E02: LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 00409E44
                                                                                                                                • Part of subcall function 00409E02: GetLastError.KERNEL32 ref: 00409E46
                                                                                                                                • Part of subcall function 00409E02: _malloc.LIBCMT ref: 00409E62
                                                                                                                                • Part of subcall function 00409E02: _malloc.LIBCMT ref: 00409E6C
                                                                                                                                • Part of subcall function 00409E02: _memset.LIBCMT ref: 00409E83
                                                                                                                                • Part of subcall function 00409E02: _memset.LIBCMT ref: 00409E8F
                                                                                                                                • Part of subcall function 00409E02: LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00409EAB
                                                                                                                                • Part of subcall function 00409E02: _free.LIBCMT ref: 00409ED0
                                                                                                                                • Part of subcall function 00409E02: _free.LIBCMT ref: 00409EDF
                                                                                                                                • Part of subcall function 00409E02: LocalFree.KERNEL32(?), ref: 00409EFA
                                                                                                                                • Part of subcall function 0041DD58: __EH_prolog3_GS.LIBCMT ref: 0041DD62
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                                • Part of subcall function 0041DD58: __splitpath_s.LIBCMT ref: 0041DEB0
                                                                                                                                • Part of subcall function 0041DD58: _strlen.LIBCMT ref: 0041DEBC
                                                                                                                                • Part of subcall function 00445632: __EH_prolog3.LIBCMT ref: 00445639
                                                                                                                                • Part of subcall function 00445F5E: __EH_prolog3.LIBCMT ref: 00445F65
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$AccountLookup_free_malloc_memset$ConvertErrorFreeH_prolog3_LastLocalString__splitpath_s_memcpy_s_strlen
                                                                                                                              • String ID: !$%ApplicationDataFolder%$%DesktopFolder%$%LaunchUserApplicationDataFolder%$%LaunchUserDesktopFolder%$%LaunchUserDomain%$%LaunchUserMyDocumentsFolder%$%LaunchUserMyMusicFolder%$%LaunchUserMyPicturesFolder%$%LaunchUserMyVideosFolder%$%LaunchUserName%$%LaunchUserStartFolder%$%LaunchUserStartProgramsFolder%$%LaunchUserStartupFolder%$%MyDocumentsFolder%$%MyMusicFolder%$%MyPicturesFolder%$%MyVideosFolder%$%StartFolder%$%StartProgramsFolder%$%StartupFolder%$%s\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$AppData$Desktop$My Music$My Pictures$My Video$Personal$Programs$Start Menu$Startup$Users
                                                                                                                              • API String ID: 3940958275-2356433915
                                                                                                                              • Opcode ID: a5357e24b258e595108c0aad8c6c260a0065b39adcc0ebefec3cbdb5f7a5287f
                                                                                                                              • Instruction ID: b5d2882960390890bb3e755470848708f13eb2ab17b8d508fdffdd65389ace15
                                                                                                                              • Opcode Fuzzy Hash: a5357e24b258e595108c0aad8c6c260a0065b39adcc0ebefec3cbdb5f7a5287f
                                                                                                                              • Instruction Fuzzy Hash: 6F42A2B0D11248ABDF04EBE9C952ADEBBB9AF45318F14015EF015732D2CB781E05CB6A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005216C9 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 421windowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 3082 5216c9-5216df __EH_prolog3 3083 5216e5-5216f8 3082->3083 3084 5217da-5217df call 5b5276 3082->3084 3086 521767 3083->3086 3087 5216fa-52170c 3083->3087 3088 521769-521771 3086->3088 3090 52171b-521765 3087->3090 3091 52170e-521715 3087->3091 3092 521773-521776 3088->3092 3093 521786-521793 call 51cbb7 3088->3093 3090->3088 3091->3090 3094 5217e0-5217e6 3092->3094 3095 521778-521781 call 5211bc 3092->3095 3101 5217a4-5217c3 call 4d4a02 * 2 3093->3101 3102 521795-52179f call 51de4a 3093->3102 3094->3084 3098 5217e8-5217fc call 4d4a02 3094->3098 3095->3093 3098->3093 3106 5217fe-521804 3098->3106 3115 5217c5-5217ca call 51da26 3101->3115 3116 5217cf-5217d4 3101->3116 3102->3101 3108 52180c-521815 3106->3108 3110 521a9b-521b90 call 4b4c5c __EH_prolog3 call 4b75ee call 4b56a0 call 4015ec call 4fe681 call 51ce75 call 4fe6b4 CreateCompatibleDC * 2 3108->3110 3111 52181b-52182b 3108->3111 3165 521b92-521b94 3110->3165 3166 521b96 call 4b75a4 3110->3166 3111->3110 3114 521831-52185b call 51f99b 3111->3114 3122 52186c-521874 3114->3122 3123 52185d-52186a call 4b7ee4 3114->3123 3115->3116 3116->3084 3126 521876-52187c 3122->3126 3127 52188b-52189b LoadImageW 3122->3127 3123->3122 3131 52189e-5218b9 GetObjectA 3123->3131 3126->3127 3130 52187e-521884 3126->3130 3127->3131 3130->3127 3133 521886 3130->3133 3134 5218cb-5218d0 3131->3134 3135 5218bb-5218c6 call 51cd99 3131->3135 3133->3127 3138 5218d2-5218d5 3134->3138 3139 5218d7-5218dd 3134->3139 3143 521a66-521a90 call 521c35 DeleteObject call 4025a1 3135->3143 3138->3139 3142 5218e3-5218e6 3138->3142 3139->3142 3139->3143 3142->3143 3145 5218ec-52191c call 4b75ee CreateCompatibleDC call 4b7be2 GetObjectA 3142->3145 3159 521806-521809 3143->3159 3160 521a96 3143->3160 3161 521922-52192f SelectObject 3145->3161 3162 521a5a-521a61 call 4b7c63 3145->3162 3159->3108 3160->3093 3161->3162 3164 521935-521957 CreateCompatibleBitmap 3161->3164 3162->3143 3168 521966-521991 call 4b75ee CreateCompatibleDC call 4b7be2 SelectObject 3164->3168 3169 521959-521961 SelectObject 3164->3169 3165->3166 3170 521b9b-521c28 call 5216c9 3165->3170 3166->3170 3180 521993-5219a4 SelectObject DeleteObject 3168->3180 3181 5219a9-5219ca BitBlt 3168->3181 3169->3162 3177 521c2d-521c34 call 5b5276 3170->3177 3183 521a4e-521a55 call 4b7c63 3180->3183 3184 521a2f-521a4b SelectObject * 2 DeleteObject 3181->3184 3185 5219cc-5219d2 3181->3185 3183->3162 3184->3183 3186 521a24-521a2d 3185->3186 3187 5219d4-5219eb GetPixel 3185->3187 3186->3184 3186->3185 3189 5219fd-5219ff call 51cbf0 3187->3189 3190 5219ed-5219f3 3187->3190 3194 521a04-521a07 3189->3194 3190->3189 3191 5219f5-5219fb call 51cc72 3190->3191 3191->3194 3196 521a19-521a22 3194->3196 3197 521a09-521a13 SetPixel 3194->3197 3196->3186 3196->3187 3197->3196
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 005216D3
                                                                                                                              • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002000), ref: 00521895
                                                                                                                              • GetObjectA.GDI32(00000082,00000018,?), ref: 005218A7
                                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 005218F9
                                                                                                                              • GetObjectA.GDI32(00000082,00000018,?), ref: 00521914
                                                                                                                              • SelectObject.GDI32(?,00000082), ref: 00521928
                                                                                                                              • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0052194C
                                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0052195F
                                                                                                                              • CreateCompatibleDC.GDI32(?), ref: 00521975
                                                                                                                              • SelectObject.GDI32(?,?), ref: 0052198A
                                                                                                                              • SelectObject.GDI32(?,00000000), ref: 00521999
                                                                                                                              • DeleteObject.GDI32(?), ref: 0052199E
                                                                                                                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 005219BE
                                                                                                                              • GetPixel.GDI32(?,?,?), ref: 005219DD
                                                                                                                              • SetPixel.GDI32(?,?,?,00000000), ref: 00521A13
                                                                                                                              • SelectObject.GDI32(?,?), ref: 00521A35
                                                                                                                              • SelectObject.GDI32(?,00000000), ref: 00521A3D
                                                                                                                              • DeleteObject.GDI32(00000082), ref: 00521A42
                                                                                                                              • DeleteObject.GDI32(00000082), ref: 00521A74
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00521AA8
                                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00521B73
                                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00521B7F
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Object$Select$CompatibleCreate$Delete$H_prolog3Pixel$BitmapImageLoad
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1197801157-3916222277
                                                                                                                              • Opcode ID: 16c418f635b7997d422461bb1109cad39f8a5bab48b5cba29466cf8432ef0e31
                                                                                                                              • Instruction ID: b9e0d0b840771250a26158187debf6a9cc37814855b68089529b1d60e3d0ddd7
                                                                                                                              • Opcode Fuzzy Hash: 16c418f635b7997d422461bb1109cad39f8a5bab48b5cba29466cf8432ef0e31
                                                                                                                              • Instruction Fuzzy Hash: 9F0257B0C01629DFCF15DFA4D884AEEBFB6FF59700F10816AE805AA296D7704941CFA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004445C9 Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 198libraryloaderCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 3220 4445c9-4445f6 call 5b63f0 GetCurrentProcessId 3223 444627-444636 call 44416c 3220->3223 3224 4445f8-444622 call 401751 GetModuleFileNameA call 405435 3220->3224 3230 4447ec-4447fd 3223->3230 3231 44463c-444654 LoadLibraryA 3223->3231 3237 444889-444897 call 5b518f 3224->3237 3246 444803-444837 _memset 3230->3246 3247 44472b-44472d 3230->3247 3233 4446f8-44470f OpenProcess 3231->3233 3234 44465a-44466e GetProcAddress 3231->3234 3235 444711-444716 3233->3235 3236 444732-44474e EnumProcessModules 3233->3236 3239 444670-444687 OpenProcess 3234->3239 3240 4446ec-4446f2 FreeLibrary 3234->3240 3241 44471f-444722 3235->3241 3242 444718-44471d 3235->3242 3244 444794-4447e7 _memset GetModuleFileNameExA call 4019b2 CloseHandle 3236->3244 3245 444750-444761 CloseHandle 3236->3245 3239->3240 3248 444689-4446c7 _memset QueryFullProcessImageNameA 3239->3248 3240->3233 3241->3247 3253 444724-444729 3241->3253 3252 4446d0-4446db call 4019b2 3242->3252 3265 444886-444888 3244->3265 3255 444763 3245->3255 3256 444788-44478b 3245->3256 3263 444857-444859 3246->3263 3247->3237 3249 4446e0-4446e6 FindCloseChangeNotification 3248->3249 3250 4446c9-4446cf 3248->3250 3249->3240 3250->3252 3252->3265 3253->3252 3260 444768-444770 call 4b55b4 3255->3260 3256->3247 3258 44478d-444792 3256->3258 3258->3260 3260->3265 3271 444776-444783 call 4017c6 3260->3271 3267 444839-444842 3263->3267 3268 44485b 3263->3268 3265->3237 3269 444844-44484b 3267->3269 3270 44485d-444871 call 4019b2 3267->3270 3272 444872-444880 CloseHandle 3268->3272 3269->3263 3270->3272 3271->3265 3272->3247 3272->3265
                                                                                                                              APIs
                                                                                                                              • GetCurrentProcessId.KERNEL32(00000000,?,00000000), ref: 004445EE
                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000104,00000000,?,00000000), ref: 00444609
                                                                                                                                • Part of subcall function 00405435: _strnlen.LIBCMT ref: 0040544E
                                                                                                                              • LoadLibraryA.KERNEL32(Kernel32.dll,00000000,?,00000000), ref: 00444641
                                                                                                                              • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameA), ref: 00444660
                                                                                                                              • OpenProcess.KERNEL32(00001000,00000000,?,?,00000000), ref: 00444679
                                                                                                                              • _memset.LIBCMT ref: 0044469C
                                                                                                                              • QueryFullProcessImageNameA.KERNEL32(?,00000000,?,?,00000000), ref: 004446BF
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Process$Name$AddressCurrentFileFullImageLibraryLoadModuleOpenProcQuery_memset_strnlen
                                                                                                                              • String ID: Kernel32.dll$QueryFullProcessImageNameA$System$System Idle Process
                                                                                                                              • API String ID: 2485872015-1946616455
                                                                                                                              • Opcode ID: 6b093323826ac006c3ceb908b3be76456bd45cabf645229688d3930e6abbe1cb
                                                                                                                              • Instruction ID: a02533f0275960e48d2c5a4f9e025311784f07c53599bab7754c0fdaecda7c4d
                                                                                                                              • Opcode Fuzzy Hash: 6b093323826ac006c3ceb908b3be76456bd45cabf645229688d3930e6abbe1cb
                                                                                                                              • Instruction Fuzzy Hash: B6719175900129ABEB20AF60CC89BAEBBB9EB45355F1001A7F509E2150DB7C5E81CF55
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00472F83 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 273windowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 3277 472f83-47301b __EH_prolog3 call 459443 call 4597a0 call 459852 call 401bab call 4014a6 call 45974c call 401962 call 40124d call 401bab lua_type 3296 473030-47304e call 401bab lua_type 3277->3296 3297 47301d-47302b call 459852 call 4019b2 3277->3297 3302 473063-47307c call 401bab lua_type 3296->3302 3303 473050-47305e call 459852 call 4019b2 3296->3303 3297->3296 3310 4730d0-4730e3 lua_type 3302->3310 3311 47307e-4730cb call 459852 call 4019b2 call 4014a6 call 45974c call 401962 call 40124d 3302->3311 3303->3302 3312 4730f7-473108 lua_type 3310->3312 3313 4730e5-4730f4 call 4593ca call 5b5910 3310->3313 3311->3310 3317 473125-47312c call 403787 3312->3317 3318 47310a-473116 lua_type 3312->3318 3313->3312 3328 473131-473155 _memset 3317->3328 3329 47312e 3317->3329 3318->3317 3322 473118-473122 call 459912 3318->3322 3322->3317 3333 473157 3328->3333 3334 47315e-473191 ShellExecuteEx 3328->3334 3329->3328 3333->3334 3336 473193-473196 3334->3336 3337 4731f1-4731fa call 45958a 3334->3337 3340 4731fd-473211 GetExitCodeProcess 3336->3340 3341 473198-4731a3 3336->3341 3337->3340 3344 473213-473217 3340->3344 3345 47321d-473237 CloseHandle call 4593d3 3340->3345 3346 4731dd-4731ed MsgWaitForMultipleObjects 3341->3346 3344->3345 3348 473219 3344->3348 3355 47323f-47327f lua_pushnumber call 40124d * 4 call 5b5276 3345->3355 3356 473239 3345->3356 3350 4731ef 3346->3350 3351 4731c8-4731db PeekMessageA 3346->3351 3348->3345 3350->3340 3351->3346 3354 4731a5-4731a9 3351->3354 3357 4731b4-4731c2 TranslateMessage DispatchMessageA 3354->3357 3358 4731ab-4731b2 3354->3358 3356->3355 3357->3351 3358->3351 3358->3357
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00472F8A
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0045974C: __EH_prolog3.LIBCMT ref: 00459753
                                                                                                                              • lua_type.LUA5.1(?,00000002), ref: 0047300F
                                                                                                                              • lua_type.LUA5.1(?,00000003), ref: 00473045
                                                                                                                              • lua_type.LUA5.1(?,00000004), ref: 00473073
                                                                                                                              • lua_type.LUA5.1(?,?,?,?,?,?,?,?,?,?,00000078), ref: 004730DA
                                                                                                                              • lua_type.LUA5.1(?,00000006,?,?,?,?,?,?,?,?,00000078), ref: 004730FF
                                                                                                                              • lua_type.LUA5.1(?,00000006,?,?,?,?,?,?,?,?,00000078), ref: 0047310D
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              • _memset.LIBCMT ref: 00473142
                                                                                                                              • ShellExecuteEx.SHELL32(?), ref: 00473189
                                                                                                                              • TranslateMessage.USER32(?), ref: 004731B8
                                                                                                                              • DispatchMessageA.USER32(?), ref: 004731C2
                                                                                                                              • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004731D3
                                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 004731E8
                                                                                                                              • GetExitCodeProcess.KERNEL32(?,00000000), ref: 00473204
                                                                                                                              • CloseHandle.KERNEL32(?,?,?), ref: 00473220
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,?,?,?), ref: 00473243
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_type.$H_prolog3$Message$lua_remove.$CloseCodeDispatchExecuteExitHandleMultipleObjectsPeekProcessShellTranslateWait_memset_strlenlua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushnumber.lua_pushstring.lua_tolstring.
                                                                                                                              • String ID: @$open
                                                                                                                              • API String ID: 1748809283-267353779
                                                                                                                              • Opcode ID: 69cb91ca6aa18d53d3b9747b94d441df8d28cbc87f33bb7bc4226c01ec9e5028
                                                                                                                              • Instruction ID: 000cf7223813bef519a688619f11619f6c4dccf32749e9755a5d4d205109e549
                                                                                                                              • Opcode Fuzzy Hash: 69cb91ca6aa18d53d3b9747b94d441df8d28cbc87f33bb7bc4226c01ec9e5028
                                                                                                                              • Instruction Fuzzy Hash: 5C91C472D042099FDB14EFA5CC46BEE77B8EF05325F24412FF114B62D2DA386A448B69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004BB78B Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 191windowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 3369 4bb78b-4bb7b4 call 4b87f6 3372 4bb7bb-4bb7c0 3369->3372 3373 4bb7b6-4bb7b9 3369->3373 3375 4bb7cd-4bb7d2 GetWindow 3372->3375 3376 4bb7c2-4bb7cb GetParent 3372->3376 3374 4bb7f2-4bb82a GetWindowRect 3373->3374 3377 4bb8c3-4bb8ea GetParent GetClientRect * 2 MapWindowPoints 3374->3377 3378 4bb830-4bb832 3374->3378 3379 4bb7d8-4bb7dc 3375->3379 3376->3379 3383 4bb8f0-4bb933 3377->3383 3381 4bb84d-4bb856 3378->3381 3382 4bb834-4bb842 GetWindowLongA 3378->3382 3379->3374 3380 4bb7de-4bb7ee SendMessageA 3379->3380 3380->3374 3386 4bb7f0 3380->3386 3389 4bb858-4bb85f call 403787 3381->3389 3390 4bb894-4bb8c1 GetWindowRect MonitorFromWindow GetMonitorInfoA CopyRect 3381->3390 3387 4bb84b 3382->3387 3388 4bb844-4bb849 3382->3388 3384 4bb93d-4bb940 3383->3384 3385 4bb935-4bb93b 3383->3385 3391 4bb942 3384->3391 3392 4bb945-4bb94d 3384->3392 3385->3384 3386->3374 3387->3381 3388->3381 3388->3387 3399 4bb861 3389->3399 3400 4bb864-4bb892 MonitorFromWindow GetMonitorInfoA CopyRect * 2 3389->3400 3390->3383 3391->3392 3394 4bb958-4bb95b 3392->3394 3395 4bb94f-4bb955 3392->3395 3397 4bb95d 3394->3397 3398 4bb960-4bb96d call 4b8b6d 3394->3398 3395->3394 3397->3398 3402 4bb972-4bb980 call 5b518f 3398->3402 3399->3400 3400->3383
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 004B87F6: GetWindowLongA.USER32(?,000000F0), ref: 004B8801
                                                                                                                              • GetParent.USER32(?), ref: 004BB7C5
                                                                                                                              • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 004BB7E6
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 004BB805
                                                                                                                              • GetWindowLongA.USER32(00000000,000000F0), ref: 004BB837
                                                                                                                              • MonitorFromWindow.USER32(00000000,00000001), ref: 004BB86B
                                                                                                                              • GetMonitorInfoA.USER32(00000000), ref: 004BB872
                                                                                                                              • CopyRect.USER32(?,?), ref: 004BB886
                                                                                                                              • CopyRect.USER32(?,?), ref: 004BB890
                                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 004BB899
                                                                                                                              • MonitorFromWindow.USER32(00000000,00000002), ref: 004BB8A6
                                                                                                                              • GetMonitorInfoA.USER32(00000000), ref: 004BB8AD
                                                                                                                              • CopyRect.USER32(?,?), ref: 004BB8BB
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Rect$Monitor$Copy$FromInfoLong$MessageParentSend
                                                                                                                              • String ID: (
                                                                                                                              • API String ID: 783970248-3887548279
                                                                                                                              • Opcode ID: 2e206c960bff76c65d011af9281d4477af9f095c375483303fdf7989cd3c9211
                                                                                                                              • Instruction ID: 0526c366f56fd67939eef59efbbfee4d572cc4f5001d7726c902ecad3bd9f23d
                                                                                                                              • Opcode Fuzzy Hash: 2e206c960bff76c65d011af9281d4477af9f095c375483303fdf7989cd3c9211
                                                                                                                              • Instruction Fuzzy Hash: 246105B1E10229ABCB11DFA9CD88AEEBBBDFF48710F145116E505B3650DB74A901CBA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044C87A Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 170windowstringprocessCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 3450 44c87a-44c925 call 4b56a0 call 4015ec _memset * 2 3455 44c946 3450->3455 3456 44c927-44c928 3450->3456 3459 44c948 3455->3459 3457 44c942-44c944 3456->3457 3458 44c92a-44c92b 3456->3458 3462 44c93f-44c940 3457->3462 3460 44c93d 3458->3460 3461 44c92d-44c92e 3458->3461 3463 44c94f-44c95e lstrlen 3459->3463 3460->3462 3464 44c930-44c937 3461->3464 3465 44c939-44c93b 3461->3465 3462->3459 3466 44c960-44c971 call 449e8d 3463->3466 3467 44c973-44c98a call 44c823 3463->3467 3464->3463 3465->3459 3472 44c98d-44c9af lstrlen 3466->3472 3467->3472 3473 44c9b4 3472->3473 3474 44c9b1-44c9b2 3472->3474 3475 44c9ba-44c9ca CreateProcessA 3473->3475 3474->3475 3476 44c9e0-44c9f1 3475->3476 3477 44c9cc-44c9da GetLastError 3475->3477 3479 44c9f7-44c9fd 3476->3479 3480 44ca82-44ca96 CloseHandle * 2 3476->3480 3477->3476 3478 44ca98-44caba call 40124d call 5b518f 3477->3478 3482 44ca52-44ca66 MsgWaitForMultipleObjects 3479->3482 3480->3478 3483 44ca3d-44ca50 PeekMessageA 3482->3483 3484 44ca68-44ca6e 3482->3484 3483->3482 3486 44c9ff-44ca09 3483->3486 3484->3480 3487 44ca70-44ca7c GetExitCodeProcess 3484->3487 3486->3483 3490 44ca0b-44ca15 3486->3490 3487->3480 3490->3483 3491 44ca17-44ca21 3490->3491 3491->3483 3492 44ca23-44ca37 TranslateMessage DispatchMessageA 3491->3492 3492->3483
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 0044C8DD
                                                                                                                              • _memset.LIBCMT ref: 0044C8EC
                                                                                                                              • lstrlen.KERNEL32(?,?,?,00000000), ref: 0044C950
                                                                                                                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0044C993
                                                                                                                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,?,?,?), ref: 0044C9C2
                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0044C9CC
                                                                                                                              • TranslateMessage.USER32(?), ref: 0044CA2A
                                                                                                                              • DispatchMessageA.USER32(?), ref: 0044CA37
                                                                                                                              • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0044CA48
                                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0044CA62
                                                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 0044CA7C
                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0044CA8E
                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0044CA96
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Message$CloseHandleProcess_memsetlstrlen$CodeCreateDispatchErrorExitLastMultipleObjectsPeekTranslateWait
                                                                                                                              • String ID: "%s" %s
                                                                                                                              • API String ID: 2044587009-1070868581
                                                                                                                              • Opcode ID: c0cc0c49a236f5ded0ea8b06f0b4c4182e01ed3215f27af4462474b041b00ea4
                                                                                                                              • Instruction ID: 35c82a5213f9f35a52ecf7f5653f6d96b4d14db4d77b397bd2bc0d4724070ad4
                                                                                                                              • Opcode Fuzzy Hash: c0cc0c49a236f5ded0ea8b06f0b4c4182e01ed3215f27af4462474b041b00ea4
                                                                                                                              • Instruction Fuzzy Hash: 4851717195222DABDB619F64CC88BEBBB78EF04710F140197B509E2161DB344E80CF94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0041D295 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 251windowstringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 0041D328
                                                                                                                              • MessageBoxA.USER32(00000000,?,026D82D8,00000010), ref: 0041D38E
                                                                                                                              • _malloc.LIBCMT ref: 0041D3F4
                                                                                                                              • lstrcpy.KERNEL32(?,?), ref: 0041D4F4
                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 0041D508
                                                                                                                              • MessageBoxA.USER32(00000000,?,ERROR,00000010), ref: 0041D426
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • MessageBoxA.USER32(00000000,?,?,00000000), ref: 0041D652
                                                                                                                              • _free.LIBCMT ref: 0041D696
                                                                                                                              Strings
                                                                                                                              • Error in compressed file - Bad CRCOriginal: %dCalculated: %d, xrefs: 0041D635
                                                                                                                              • Unable to allocate memory buffer, xrefs: 0041D404
                                                                                                                              • ERROR, xrefs: 0041D416
                                                                                                                              • Unable to open archive file: %d, xrefs: 0041D367
                                                                                                                              • Unable to open archive file, xrefs: 0041D350
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Message$H_prolog3_free_malloc_memsetlstrcatlstrcpy
                                                                                                                              • String ID: ERROR$Error in compressed file - Bad CRCOriginal: %dCalculated: %d$Unable to allocate memory buffer$Unable to open archive file$Unable to open archive file: %d
                                                                                                                              • API String ID: 2051063334-2979399668
                                                                                                                              • Opcode ID: 3d88c7f2ae69a968be2d778677e82cc7cc4de5c7527dc46d7acb9f94a65af994
                                                                                                                              • Instruction ID: 228f271a15597c2f46b9f19d639ac7bbf06cb629f60768003966d6c7016263ec
                                                                                                                              • Opcode Fuzzy Hash: 3d88c7f2ae69a968be2d778677e82cc7cc4de5c7527dc46d7acb9f94a65af994
                                                                                                                              • Instruction Fuzzy Hash: 8DB128B1900228DFDB20DB64CD45EDDB7B4AB98318F1085DAF499B2282DBB45AE4CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0042736F Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 268fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0040C75B: __EH_prolog3.LIBCMT ref: 0040C762
                                                                                                                                • Part of subcall function 0043A00F: __EH_prolog3.LIBCMT ref: 0043A016
                                                                                                                              • _strlen.LIBCMT ref: 00427430
                                                                                                                                • Part of subcall function 00403C07: _strnlen.LIBCMT ref: 00403C37
                                                                                                                                • Part of subcall function 00403C07: _memcpy_s.LIBCMT ref: 00403C6B
                                                                                                                              • DeleteFileA.KERNEL32(?,?,?,\irsetup.skin,00000000,?), ref: 00427451
                                                                                                                              • GetLastError.KERNEL32(00000000), ref: 00427490
                                                                                                                                • Part of subcall function 0040C75B: _strlen.LIBCMT ref: 0040C79F
                                                                                                                              • GetFileAttributesA.KERNEL32(00000001,?,?,?,00000000,00000001,00000000), ref: 004275BD
                                                                                                                              • DeleteFileA.KERNEL32(00000001,?,?,?,00000000,00000001,00000000), ref: 004275CB
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 00405AB7: __mbsinc.LIBCMT ref: 00405AF2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FileH_prolog3$Delete_strlen$AttributesErrorLast__mbsinc_memcpy_s_strnlen
                                                                                                                              • String ID: Delete plugin file: $Delete primer file: $Delete skin file: $\irsetup.skin
                                                                                                                              • API String ID: 41566659-3049212666
                                                                                                                              • Opcode ID: 5a0049a2c3271468f71c39f71784d62b2d8032af1d314b8bd9f7e15357b7b5e2
                                                                                                                              • Instruction ID: e1ad8fb57a85e154da548c55155deb92fce6abe91f50a8f3a994385913f67cd5
                                                                                                                              • Opcode Fuzzy Hash: 5a0049a2c3271468f71c39f71784d62b2d8032af1d314b8bd9f7e15357b7b5e2
                                                                                                                              • Instruction Fuzzy Hash: B2A17E719040499FDB04EBE8DC85EBE7BB9AF55324F14026EF111B72E2DA385D40CB6A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0042D840 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 434COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: %s%s$ERR_CREATE_FOLDER$INSTALL_STAGE_INSTALLING_FILES$Install archive file: $MSG_ERROR$MSG_INSTALLING$MSG_SKIPPING$_SuppressUninstallDataDuplicateCheck
                                                                                                                              • API String ID: 0-1397023231
                                                                                                                              • Opcode ID: 6b2b4816e3fe1f59c8daa3f8d5eee16e08241a84fd2d987692c1a28bcd17f514
                                                                                                                              • Instruction ID: 03ff3c82bcaaacfabcb7d7b7adf69115315a6705427eed211a3a6a666c0bcce8
                                                                                                                              • Opcode Fuzzy Hash: 6b2b4816e3fe1f59c8daa3f8d5eee16e08241a84fd2d987692c1a28bcd17f514
                                                                                                                              • Instruction Fuzzy Hash: D7124D70D00658DECB24DF65CC81EDEB7B5AF49318F4041EEE089A7292DAB856C0CF19
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004CC8AF Relevance: 19.7, APIs: 13, Instructions: 168filetimeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetFileAttributesA.KERNEL32(?,?,?), ref: 004CC8F9
                                                                                                                              • GetLastError.KERNEL32(?,?,?), ref: 004CC90A
                                                                                                                              • SetFileAttributesA.KERNEL32(?,?,?,?), ref: 004CC933
                                                                                                                              • GetLastError.KERNEL32(?,?,?), ref: 004CC93E
                                                                                                                              • CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000,?,?), ref: 004CC9BC
                                                                                                                              • GetLastError.KERNEL32(?,?,?), ref: 004CC9CA
                                                                                                                              • SetFileTime.KERNEL32(00000000,?,?,?,?,?), ref: 004CC9DF
                                                                                                                              • GetLastError.KERNEL32(?,?), ref: 004CC9EF
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?), ref: 004CC9F9
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?), ref: 004CCA05
                                                                                                                                • Part of subcall function 004CC5B9: GetModuleHandleA.KERNEL32(kernel32.dll,0000000C,?,004CC6FC,00450998,00000000,0067C48C,0000002E,00450998,00000000,?,?,-00000010,0067C48C,000000FF), ref: 004CC5CB
                                                                                                                                • Part of subcall function 004CC5B9: GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedA), ref: 004CC5DB
                                                                                                                              • GetLastError.KERNEL32(?,?,?), ref: 004CCA0C
                                                                                                                              • SetFileAttributesA.KERNEL32(?,?,?,?), ref: 004CCA3B
                                                                                                                              • GetLastError.KERNEL32(?,?,?), ref: 004CCA46
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLast$File$AttributesHandle$Close$AddressCreateModuleProcTime
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3934836844-0
                                                                                                                              • Opcode ID: 9b8751c275534dc08fd078b97f0551b692b488f452cd7dc5d972a61b331c35ed
                                                                                                                              • Instruction ID: 24ab066ba45105931fb556f069e2820fc17eb39e3b3e24fd6d639b2d76d4516e
                                                                                                                              • Opcode Fuzzy Hash: 9b8751c275534dc08fd078b97f0551b692b488f452cd7dc5d972a61b331c35ed
                                                                                                                              • Instruction Fuzzy Hash: 65515D79910204ABDB54EFB5D8C9FBE77B9AF08310B14451FF91AA2251DB38A8019B28
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00495B62 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 173COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00495B69
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0048CCBB: __EH_prolog3.LIBCMT ref: 0048CCC2
                                                                                                                                • Part of subcall function 0048C2A0: __EH_prolog3.LIBCMT ref: 0048C2A7
                                                                                                                                • Part of subcall function 004C3A0F: __EH_prolog3_catch_GS.LIBCMT ref: 004C3A19
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$H_prolog3_catch_
                                                                                                                              • String ID: On Back$On Cancel$On Ctrl Message$On Help$On Next$On Preload$Screen.Back();$Screen.Next();$if g_ConfirmSetupAbort() thenApplication.Exit();end$number e_CtrlID, number e_MsgID, table e_Details
                                                                                                                              • API String ID: 2899319929-3261342500
                                                                                                                              • Opcode ID: 03d0ceb04b709f9b52de4624381557cf450ee9ced8033bd109f6557579b78b67
                                                                                                                              • Instruction ID: 85f5a6a40cc4e7496d428545d972af7344d72b37c1b01569cf554b4e6e7f0580
                                                                                                                              • Opcode Fuzzy Hash: 03d0ceb04b709f9b52de4624381557cf450ee9ced8033bd109f6557579b78b67
                                                                                                                              • Instruction Fuzzy Hash: 02516370E11205AACF04FFA9C993EDDBAB59F49714F10855EF015732D1DB782F048AAA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00409E02 Relevance: 18.1, APIs: 12, Instructions: 101COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ConvertStringSidToSidA.ADVAPI32(?,?), ref: 00409E19
                                                                                                                              • LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 00409E44
                                                                                                                              • GetLastError.KERNEL32 ref: 00409E46
                                                                                                                              • _malloc.LIBCMT ref: 00409E62
                                                                                                                                • Part of subcall function 005B4B83: __FF_MSGBANNER.LIBCMT ref: 005B4B9C
                                                                                                                                • Part of subcall function 005B4B83: __NMSG_WRITE.LIBCMT ref: 005B4BA3
                                                                                                                                • Part of subcall function 005B4B83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 005B4BC8
                                                                                                                              • _malloc.LIBCMT ref: 00409E6C
                                                                                                                              • _memset.LIBCMT ref: 00409E83
                                                                                                                              • _memset.LIBCMT ref: 00409E8F
                                                                                                                              • LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00409EAB
                                                                                                                              • _free.LIBCMT ref: 00409ED0
                                                                                                                              • _free.LIBCMT ref: 00409EDF
                                                                                                                              • GetLastError.KERNEL32 ref: 00409EE7
                                                                                                                              • LocalFree.KERNEL32(?), ref: 00409EFA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AccountErrorLastLookup_free_malloc_memset$AllocateConvertFreeHeapLocalString
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2640322024-0
                                                                                                                              • Opcode ID: 5ea395a3e36f9e9e05fc0fa55426daa0ca483c7ef0d141acad7c5a1c92f1767b
                                                                                                                              • Instruction ID: a0d2c250bb39911456f383e9fe37b1c20b5463b8f4ad8ceab07637e08fc4b812
                                                                                                                              • Opcode Fuzzy Hash: 5ea395a3e36f9e9e05fc0fa55426daa0ca483c7ef0d141acad7c5a1c92f1767b
                                                                                                                              • Instruction Fuzzy Hash: 173133B680011ABBCF12AFA1DC848EEBFBDFF44750B204466F904A2192D7319E41DBA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00427AB9 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 263COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00427AC3
                                                                                                                                • Part of subcall function 0040C62C: __mbsinc.LIBCMT ref: 0040C654
                                                                                                                                • Part of subcall function 0041E239: __mbsinc.LIBCMT ref: 0041E25A
                                                                                                                              • _strlen.LIBCMT ref: 00427B05
                                                                                                                                • Part of subcall function 00403C07: _strnlen.LIBCMT ref: 00403C37
                                                                                                                                • Part of subcall function 00403C07: _memcpy_s.LIBCMT ref: 00403C6B
                                                                                                                              • GetCurrentDirectoryA.KERNEL32(00000104,?,00698DAC,00000000,0000005C), ref: 00427B22
                                                                                                                              • _memset.LIBCMT ref: 00427B3D
                                                                                                                              • SetCurrentDirectoryA.KERNEL32(?), ref: 00427BB9
                                                                                                                              • SetCurrentDirectoryA.KERNEL32(?,00698DAC,00000002,0069C3B4,?,00000002), ref: 00427D7C
                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 00427D92
                                                                                                                                • Part of subcall function 0040C75B: _strlen.LIBCMT ref: 0040C79F
                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 00427BCF
                                                                                                                                • Part of subcall function 0040C75B: __EH_prolog3.LIBCMT ref: 0040C762
                                                                                                                                • Part of subcall function 0043A00F: __EH_prolog3.LIBCMT ref: 0043A016
                                                                                                                              • SetCurrentDirectoryA.KERNEL32(?), ref: 00427E96
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Directory$Current$CreateH_prolog3__mbsinc_strlen$H_prolog3__memcpy_s_memset_strnlen
                                                                                                                              • String ID: Create folder:
                                                                                                                              • API String ID: 589701281-1628409573
                                                                                                                              • Opcode ID: d95adbabc404d7e64d32e594425b69f5a45ddbd51dd9ab267e7ab12384eaaea4
                                                                                                                              • Instruction ID: e36bac802864067c2d9b8f7b26585984129ea439d9d0ff545939566fe11bde49
                                                                                                                              • Opcode Fuzzy Hash: d95adbabc404d7e64d32e594425b69f5a45ddbd51dd9ab267e7ab12384eaaea4
                                                                                                                              • Instruction Fuzzy Hash: 05B19171A0011CAFCB24EBA5DC89BEE7779AF15314F4001EAE10967291DB386E85CF69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004D2C55 Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RtlEnterCriticalSection.NTDLL(0000001C), ref: 004D2C68
                                                                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,00000000,00000000,?,004D3093,00000004,004C3271,004B4C78,004B55B9,0040192B,?), ref: 004D2CBE
                                                                                                                              • GlobalHandle.KERNEL32(?), ref: 004D2CC7
                                                                                                                              • GlobalUnWire.KERNEL32(00000000), ref: 004D2CD1
                                                                                                                              • GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 004D2CEA
                                                                                                                              • GlobalHandle.KERNEL32(?), ref: 004D2CFC
                                                                                                                              • GlobalFix.KERNEL32(00000000), ref: 004D2D03
                                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 004D2D0C
                                                                                                                              • GlobalFix.KERNEL32(00000000), ref: 004D2D18
                                                                                                                              • _memset.LIBCMT ref: 004D2D32
                                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 004D2D60
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Global$CriticalSection$AllocHandleLeave$EnterWire_memset
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 9613507-0
                                                                                                                              • Opcode ID: 0679316ae341752556f16bd125170ce8895d1f644be7faa857a94d0bdf51db94
                                                                                                                              • Instruction ID: bdda9141ab7e882e202a32f6f1f59a44c2d9e325207c2d706d45ec3e76051b19
                                                                                                                              • Opcode Fuzzy Hash: 0679316ae341752556f16bd125170ce8895d1f644be7faa857a94d0bdf51db94
                                                                                                                              • Instruction Fuzzy Hash: EE31EF71604704AFD7209F68CD89A5ABBFEFF84B05B05486FE446D3A61DB74EC008B54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00403F67 Relevance: 16.1, APIs: 3, Strings: 6, Instructions: 306windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00403F71
                                                                                                                                • Part of subcall function 004174DC: __EH_prolog3.LIBCMT ref: 004174E3
                                                                                                                                • Part of subcall function 005B5A3A: __waccess_s.LIBCMT ref: 005B5A45
                                                                                                                              • _strlen.LIBCMT ref: 0040420F
                                                                                                                                • Part of subcall function 00403C07: _strnlen.LIBCMT ref: 00403C37
                                                                                                                                • Part of subcall function 00403C07: _memcpy_s.LIBCMT ref: 00403C6B
                                                                                                                              • MessageBoxA.USER32(00000004,?,00000000,?), ref: 004042E3
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C22E
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C2C6
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$Message__waccess_s_memcpy_s_strlen_strnlen
                                                                                                                              • String ID: %s%s$%s %d. %s$ERR_WRONG_DISK$MSG_ASK_FOR_DISK$MSG_ERROR$MSG_NEW_LOCATION
                                                                                                                              • API String ID: 3414207875-2309438953
                                                                                                                              • Opcode ID: 7eaaa0701f7c619a911f5e60caa3b119e50061a95c3eb329e4b0700a4bfa0a1c
                                                                                                                              • Instruction ID: 4409bf8b29afb032833091567734ab4e1fb510bfcd76155e5a94485c31c37759
                                                                                                                              • Opcode Fuzzy Hash: 7eaaa0701f7c619a911f5e60caa3b119e50061a95c3eb329e4b0700a4bfa0a1c
                                                                                                                              • Instruction Fuzzy Hash: A5C17270900149DBCB04EBE5CC95BEEB778AF55328F14426EF125B72D2DB386A04CB69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00493E5A Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 304COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00493E61
                                                                                                                                • Part of subcall function 00495D98: __EH_prolog3.LIBCMT ref: 00495D9F
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0043A2C6: __EH_prolog3.LIBCMT ref: 0043A2CD
                                                                                                                                • Part of subcall function 004AADE0: __EH_prolog3.LIBCMT ref: 004AADE7
                                                                                                                                • Part of subcall function 004A26F3: __EH_prolog3_GS.LIBCMT ref: 004A26FA
                                                                                                                              Strings
                                                                                                                              • %AppFolder%, xrefs: 00493E76
                                                                                                                              • n, xrefs: 00493E7B
                                                                                                                              • IDS_CTRL_STATICTEXT_SPACEREQUIRED, xrefs: 00494158
                                                                                                                              • IDS_CTRL_STATICTEXT_SPACEAVAILABLE, xrefs: 004941F2
                                                                                                                              • IDS_CTRL_STATICTEXT_TOPINSTRUCTIONS, xrefs: 00493EBA
                                                                                                                              • IDS_CTRL_EDIT_FOLDER, xrefs: 00493FEA
                                                                                                                              • IDS_CTRL_BUTTON_BROWSE, xrefs: 004940C1
                                                                                                                              • IDS_CTRL_STATICTEXT_LABEL_01, xrefs: 00493F50
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$H_prolog3__malloc_strlen
                                                                                                                              • String ID: %AppFolder%$IDS_CTRL_BUTTON_BROWSE$IDS_CTRL_EDIT_FOLDER$IDS_CTRL_STATICTEXT_LABEL_01$IDS_CTRL_STATICTEXT_SPACEAVAILABLE$IDS_CTRL_STATICTEXT_SPACEREQUIRED$IDS_CTRL_STATICTEXT_TOPINSTRUCTIONS$n
                                                                                                                              • API String ID: 3536593336-2937258074
                                                                                                                              • Opcode ID: c2fd84cd051f2db8b813c17c40dc6cc69e324e0b74074124a4ba2014e15081dd
                                                                                                                              • Instruction ID: e3f013ed91f7927fc694d6f8086a221780781eac5970542975d86febf2f687fc
                                                                                                                              • Opcode Fuzzy Hash: c2fd84cd051f2db8b813c17c40dc6cc69e324e0b74074124a4ba2014e15081dd
                                                                                                                              • Instruction Fuzzy Hash: E3C1B2B0900705DFCB24EFA6C492AAFBBF4BF15314F10461EE166A76D1CB786604CBA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0041A93E Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 248COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0041A945
                                                                                                                                • Part of subcall function 00445632: __EH_prolog3.LIBCMT ref: 00445639
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 00445F5E: __EH_prolog3.LIBCMT ref: 00445F65
                                                                                                                                • Part of subcall function 0041DC12: __EH_prolog3.LIBCMT ref: 0041DC19
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: %CommonFilesFolder%\Microsoft Shared\DAO$.DLL$LocalMachine$Path$Software\Microsoft\Shared Tools\DAO$Software\Microsoft\Shared Tools\DAO350$Software\Microsoft\Shared Tools\DAO350.dll$Software\Microsoft\Shared Tools\DAO360.dll
                                                                                                                              • API String ID: 431132790-2418651373
                                                                                                                              • Opcode ID: 7c87532cb145e8d55a0ccc06198c49e8409880952a807129710eb846e7b0998f
                                                                                                                              • Instruction ID: 081ab0f7e7ca8fe283798c7dec49f6d0af966a49eed98f15e8d4fb4765556b11
                                                                                                                              • Opcode Fuzzy Hash: 7c87532cb145e8d55a0ccc06198c49e8409880952a807129710eb846e7b0998f
                                                                                                                              • Instruction Fuzzy Hash: 1E813170A40548ABEF05EBA5CC92EEF7B7D9F50708F44005EF106771D2DA781A86C6AA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044D704 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78stringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0044D70E
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • GetFileAttributesA.KERNEL32(?), ref: 0044D73E
                                                                                                                              • lstrcpy.KERNEL32(?,?), ref: 0044D757
                                                                                                                              • _malloc.LIBCMT ref: 0044D77B
                                                                                                                                • Part of subcall function 005B4B83: __FF_MSGBANNER.LIBCMT ref: 005B4B9C
                                                                                                                                • Part of subcall function 005B4B83: __NMSG_WRITE.LIBCMT ref: 005B4BA3
                                                                                                                                • Part of subcall function 005B4B83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 005B4BC8
                                                                                                                              • 73EE1500.VERSION(00000000,00698DAC,?,?,?,?,00000000,00000000,?,?), ref: 0044D7AF
                                                                                                                              • _memmove.LIBCMT ref: 0044D7C7
                                                                                                                              • _free.LIBCMT ref: 0044D7FF
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocateAttributesE1500FileH_prolog3H_prolog3_Heap_free_malloc_memmovelstrcpy
                                                                                                                              • String ID: %d.%d.%d.%d
                                                                                                                              • API String ID: 180271064-3491811756
                                                                                                                              • Opcode ID: 12c11256bb6e408ceb6329a30832052851e5c26f8be2e7c1613ab96279c63b83
                                                                                                                              • Instruction ID: ae708701a1223bbf4dc120fe5af396da4ea2dc9e1d833a5e0aa810d0715649d5
                                                                                                                              • Opcode Fuzzy Hash: 12c11256bb6e408ceb6329a30832052851e5c26f8be2e7c1613ab96279c63b83
                                                                                                                              • Instruction Fuzzy Hash: 6421A071801129ABCB25ABA18C49AEEB77DEF45324F0001DAB518B6291DB349E808FA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0049A6F5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 224COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0049A6FC
                                                                                                                                • Part of subcall function 00495D98: __EH_prolog3.LIBCMT ref: 00495D9F
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                                • Part of subcall function 004A87FA: __EH_prolog3.LIBCMT ref: 004A8801
                                                                                                                              Strings
                                                                                                                              • IDS_CTRL_RADIOBTN_ALLUSERS, xrefs: 0049A97D
                                                                                                                              • s, xrefs: 0049A716
                                                                                                                              • IDS_CTRL_STATICTEXT_TOPINSTRUCTIONS, xrefs: 0049A755
                                                                                                                              • %AppShortcutFolderName%, xrefs: 0049A711
                                                                                                                              • IDS_CTRL_RADIOBTN_PERUSER, xrefs: 0049A8D6
                                                                                                                              • IDS_CTRL_STATICTEXT_LABEL_01, xrefs: 0049A7E8
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_malloc_strlen
                                                                                                                              • String ID: %AppShortcutFolderName%$IDS_CTRL_RADIOBTN_ALLUSERS$IDS_CTRL_RADIOBTN_PERUSER$IDS_CTRL_STATICTEXT_LABEL_01$IDS_CTRL_STATICTEXT_TOPINSTRUCTIONS$s
                                                                                                                              • API String ID: 3824019972-717321709
                                                                                                                              • Opcode ID: ce5d85e03088d3bb2759bbc9a5125e5a38c17ae4123f187580fe12927a355283
                                                                                                                              • Instruction ID: 93cb703d68f60375225cd15742f9290a1099f8fd825f281d37f4b1f9cd563d93
                                                                                                                              • Opcode Fuzzy Hash: ce5d85e03088d3bb2759bbc9a5125e5a38c17ae4123f187580fe12927a355283
                                                                                                                              • Instruction Fuzzy Hash: A091C8B0900706EFDB04EFA6C9566AEBBB5BF45314F10431EE115A72C1CB78A610CBE6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00464D54 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00464D5B
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_type.LUA5.1(?,00000002), ref: 00464D90
                                                                                                                              • lua_type.LUA5.1(?,00000003), ref: 00464DAF
                                                                                                                              • lua_type.LUA5.1(?,00000004), ref: 00464DCD
                                                                                                                              • lua_type.LUA5.1(?,00000005), ref: 00464DE8
                                                                                                                              • lua_type.LUA5.1(?,00000005), ref: 00464DF7
                                                                                                                                • Part of subcall function 00459912: __EH_prolog3.LIBCMT ref: 00459919
                                                                                                                                • Part of subcall function 00459912: lua_type.LUA5.1(?,?,00000000,00000000,0000000C,00407B22,?,00000002), ref: 00459949
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_type.$H_prolog3$lua_remove.$lua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushstring.lua_tolstring.
                                                                                                                              • String ID: /
                                                                                                                              • API String ID: 661224282-2043925204
                                                                                                                              • Opcode ID: c533e1fc2a713c2c39f485978012ea7f4acb9ec93bb47e6310397c6ebf964237
                                                                                                                              • Instruction ID: 150edf945b3eebaa46a99f48cbef2d90174abca9690b9ca8d7cd97b5654a0257
                                                                                                                              • Opcode Fuzzy Hash: c533e1fc2a713c2c39f485978012ea7f4acb9ec93bb47e6310397c6ebf964237
                                                                                                                              • Instruction Fuzzy Hash: DC41D671D04204EEDF14EBB9D846BEE77A4AF41328F20061FF110B72D2EB7D6A45865A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0045366B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00453672
                                                                                                                              • RemoveDirectoryA.KERNEL32(?,00000000,00000000,00000014,0043899C,00000228,0040F686,?,000000BC), ref: 00453750
                                                                                                                                • Part of subcall function 00405B76: __EH_prolog3.LIBCMT ref: 00405B7D
                                                                                                                                • Part of subcall function 00405B76: _strlen.LIBCMT ref: 00405BB5
                                                                                                                              • RemoveFontResourceA.GDI32(?), ref: 0045372E
                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 0045373B
                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 00453740
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DeleteFileH_prolog3Remove$DirectoryFontResource_strlen
                                                                                                                              • String ID: .FON$.TFT
                                                                                                                              • API String ID: 2487243399-300237490
                                                                                                                              • Opcode ID: 16e63cc75d84feba891de720de485214b6de957ce1bc043bc2fa9e7e82f888c1
                                                                                                                              • Instruction ID: 092cdb1744988c98010576193e33673522256f2603c5e68bc22b94d3eaf48bcb
                                                                                                                              • Opcode Fuzzy Hash: 16e63cc75d84feba891de720de485214b6de957ce1bc043bc2fa9e7e82f888c1
                                                                                                                              • Instruction Fuzzy Hash: CB318D718005099BCB05EBA5CC45AEEBB79AF15359F14425EB825733E2CB38AE04CA69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005B9A7F Relevance: 12.1, APIs: 8, Instructions: 63threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ___set_flsgetvalue.LIBCMT ref: 005B9AA4
                                                                                                                              • __calloc_crt.LIBCMT ref: 005B9AB0
                                                                                                                              • __getptd.LIBCMT ref: 005B9ABD
                                                                                                                              • __initptd.LIBCMT ref: 005B9AC6
                                                                                                                              • CreateThread.KERNEL32(?,?,005B9A1A,00000000,?,?), ref: 005B9AF4
                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 005B9AFE
                                                                                                                              • _free.LIBCMT ref: 005B9B07
                                                                                                                              • __dosmaperr.LIBCMT ref: 005B9B12
                                                                                                                                • Part of subcall function 005B7892: __getptd_noexit.LIBCMT ref: 005B7892
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit__initptd_free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 73303432-0
                                                                                                                              • Opcode ID: f6d73320a4a997c0cf6abfa75236e6c0e1d8930e124af24a74071945eaf97dd7
                                                                                                                              • Instruction ID: c680e988b2079c9518bbc0e0ec402a995a09aee03cc3f693acd20eed8ee7fb06
                                                                                                                              • Opcode Fuzzy Hash: f6d73320a4a997c0cf6abfa75236e6c0e1d8930e124af24a74071945eaf97dd7
                                                                                                                              • Instruction Fuzzy Hash: 7611E93220871BAFDB106FA4AC45DDB3FDCFF857207204429FA1496192DB71E8018661
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0040473E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 170COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memset$H_prolog3_catch___splitpath_s
                                                                                                                              • String ID: %s%s%s.%d
                                                                                                                              • API String ID: 83545884-4241988911
                                                                                                                              • Opcode ID: 6db399e40d94167b5f76db3a03996689f83ec81fc52a925b94aaf317d22f42df
                                                                                                                              • Instruction ID: 7669b8512aeb4f9363ae219213a47c3523ac02e2487f9f431b7658d0081f10e9
                                                                                                                              • Opcode Fuzzy Hash: 6db399e40d94167b5f76db3a03996689f83ec81fc52a925b94aaf317d22f42df
                                                                                                                              • Instruction Fuzzy Hash: 936150B19002189FCB25DF64C891AEEB7FDAF88314F4041AEE149A7291DA346F85CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044CBB0 Relevance: 10.6, APIs: 7, Instructions: 137COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0044CBBA
                                                                                                                                • Part of subcall function 0040C62C: __mbsinc.LIBCMT ref: 0040C654
                                                                                                                                • Part of subcall function 00405AB7: __mbsinc.LIBCMT ref: 00405AF2
                                                                                                                              • _strlen.LIBCMT ref: 0044CBF9
                                                                                                                                • Part of subcall function 00403C07: _strnlen.LIBCMT ref: 00403C37
                                                                                                                                • Part of subcall function 00403C07: _memcpy_s.LIBCMT ref: 00403C6B
                                                                                                                              • _memset.LIBCMT ref: 0044CC23
                                                                                                                              • SetCurrentDirectoryA.KERNEL32(?), ref: 0044CC8D
                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 0044CC9F
                                                                                                                              • SetCurrentDirectoryA.KERNEL32(?,00698DAC,00000002,0069C3B4,?,00000002), ref: 0044CD43
                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 0044CD55
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Directory$CreateCurrent__mbsinc$H_prolog3__memcpy_s_memset_strlen_strnlen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1898474234-0
                                                                                                                              • Opcode ID: 648d565589500e37cef12648dbb973db257b38290444c3116088d2213bbdecf0
                                                                                                                              • Instruction ID: 2ffcec387168d17eea4a58c53a9f2b9464b6a28545e6cc168bbda13fdaa225ff
                                                                                                                              • Opcode Fuzzy Hash: 648d565589500e37cef12648dbb973db257b38290444c3116088d2213bbdecf0
                                                                                                                              • Instruction Fuzzy Hash: 4051F67190211C9BDB64EF64C8C57DE7B68AF05314F0841BBE909A7181DA385E85CFD9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00406EB6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00406EBD
                                                                                                                              • _strlen.LIBCMT ref: 00406F7A
                                                                                                                              • IsWindow.USER32(?), ref: 00406FB7
                                                                                                                              • RedrawWindow.USER32(?,00000000,00000000,00000105,00000005), ref: 00407000
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$H_prolog3Redraw_malloc_strlen
                                                                                                                              • String ID: Initializing...$MSG_INITIALIZING
                                                                                                                              • API String ID: 512199714-1400418863
                                                                                                                              • Opcode ID: 2a4533297e1625ecd4f8429cefe7469d283ee11d23029efe19a3f03ff0893d25
                                                                                                                              • Instruction ID: 5e34b494389515830c364dcee42ac08a1b17245997bafec3f24aeab52446d33b
                                                                                                                              • Opcode Fuzzy Hash: 2a4533297e1625ecd4f8429cefe7469d283ee11d23029efe19a3f03ff0893d25
                                                                                                                              • Instruction Fuzzy Hash: 1731AD719047069BDB24EBB4C951BAF77B9EF40318F10062EB16BA72D2DA386900CB25
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044C22C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0044C238
                                                                                                                              • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0044C24A
                                                                                                                              • GetDiskFreeSpaceExA.KERNEL32(?,?,?,?), ref: 0044C263
                                                                                                                              • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 0044C28E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DiskFreeSpace$AddressHandleModuleProc
                                                                                                                              • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                              • API String ID: 746228563-3712701948
                                                                                                                              • Opcode ID: 6c3bc5b2b85cf54cd0feafec8dc0d18ec4f1fc85fc53f8851ad527d9eac810f6
                                                                                                                              • Instruction ID: 14757aa4aa075bc289848a6ed96b6f286cefdcf0e13fba133f5b97f0af843331
                                                                                                                              • Opcode Fuzzy Hash: 6c3bc5b2b85cf54cd0feafec8dc0d18ec4f1fc85fc53f8851ad527d9eac810f6
                                                                                                                              • Instruction Fuzzy Hash: 9A110AB2901119AF9B05DFE4CC84CEEBBBDFB09700B04805AE906D7250EA70DA05CBA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005D31F9 Relevance: 10.6, APIs: 7, Instructions: 53COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 005D3200
                                                                                                                              • TlsGetValue.KERNEL32(00000000,0000000C,005D68EE,00000408,005D2578,00000011,is5_GetHBITMAPDimensions,00000000), ref: 005D3217
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                              • TlsSetValue.KERNEL32(?,00000000), ref: 005D324E
                                                                                                                              • GetLastError.KERNEL32(?,00000000), ref: 005D3258
                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 005D326A
                                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 005D3273
                                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 005D3289
                                                                                                                                • Part of subcall function 005D30BA: __EH_prolog3.LIBCMT ref: 005D30C1
                                                                                                                                • Part of subcall function 005D30BA: RtlInitializeCriticalSection.NTDLL(?), ref: 005D31EB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CriticalSection$Value$EnterErrorException@8H_prolog3H_prolog3_catchInitializeLastLeaveThrow_malloc
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3959456195-0
                                                                                                                              • Opcode ID: 2b598173a0f4d851e8478da5f27def209be45906c25ae8a346a5ccd3321209e6
                                                                                                                              • Instruction ID: 033f31a2d19ad19000d50990a498e67192a641e51abf414b507a699f4f02104d
                                                                                                                              • Opcode Fuzzy Hash: 2b598173a0f4d851e8478da5f27def209be45906c25ae8a346a5ccd3321209e6
                                                                                                                              • Instruction Fuzzy Hash: CC114C75D05206DFDB20EFB889899BEBFB9BB54700B20096FE105E3241DA745F058B62
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004641C0 Relevance: 9.2, APIs: 6, Instructions: 198COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004641C7
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_type.LUA5.1(?,00000002), ref: 0046420F
                                                                                                                              • lua_type.LUA5.1(?,00000003), ref: 00464240
                                                                                                                              • lua_type.LUA5.1(?,00000004), ref: 00464261
                                                                                                                              • lua_type.LUA5.1(?,00000005,?,?,?,?,?,?,00000020), ref: 00464285
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                                • Part of subcall function 0045974C: __EH_prolog3.LIBCMT ref: 00459753
                                                                                                                                • Part of subcall function 0044C87A: _memset.LIBCMT ref: 0044C8DD
                                                                                                                                • Part of subcall function 0044C87A: _memset.LIBCMT ref: 0044C8EC
                                                                                                                                • Part of subcall function 0044C87A: lstrlen.KERNEL32(?,?,?,00000000), ref: 0044C950
                                                                                                                                • Part of subcall function 0044C87A: lstrlen.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0044C993
                                                                                                                                • Part of subcall function 0044C87A: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,?,?,?), ref: 0044C9C2
                                                                                                                                • Part of subcall function 0044C87A: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0044C9CC
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,?,?,?,?,?,?,?,00000020), ref: 00464383
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3lua_type.$_memsetlstrlenlua_remove.$CreateErrorLastProcess_strlenlua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushnumber.lua_pushstring.lua_tolstring.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 436662782-0
                                                                                                                              • Opcode ID: 0343fa4ccd6f2edcf33364c0cc3c77d9b5c940a1750539c7a076baa53da11e7e
                                                                                                                              • Instruction ID: d5df8da035bba0d8b1fc55304d3aa00b71b62b15117117ad362c46f4b6f236c5
                                                                                                                              • Opcode Fuzzy Hash: 0343fa4ccd6f2edcf33364c0cc3c77d9b5c940a1750539c7a076baa53da11e7e
                                                                                                                              • Instruction Fuzzy Hash: 83510972804205AADB14ABB9DC47BAF7768DF45338F34061FF125B62D3EE3C69408669
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0049247F Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 365COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00492486
                                                                                                                                • Part of subcall function 00495D98: __EH_prolog3.LIBCMT ref: 00495D9F
                                                                                                                                • Part of subcall function 00492382: __EH_prolog3.LIBCMT ref: 00492389
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                                • Part of subcall function 004A51BC: __EH_prolog3.LIBCMT ref: 004A51C3
                                                                                                                                • Part of subcall function 004A26F3: __EH_prolog3_GS.LIBCMT ref: 004A26FA
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$H_prolog3__malloc
                                                                                                                              • String ID: $IDS_CTRL_STATICTEXT_BOTTOMINSTRUCTIONS$IDS_CTRL_STATICTEXT_TOPINSTRUCTIONS$x
                                                                                                                              • API String ID: 534863677-1327038464
                                                                                                                              • Opcode ID: 651d966aea8a851ea7862a6b780a26d837fcd4ca01976dd3a215bedc907b26ab
                                                                                                                              • Instruction ID: 7c03824a848b0b150440b1ad397cc3a49011129d7d8a0da48678406ddf21ab2c
                                                                                                                              • Opcode Fuzzy Hash: 651d966aea8a851ea7862a6b780a26d837fcd4ca01976dd3a215bedc907b26ab
                                                                                                                              • Instruction Fuzzy Hash: 89E16EB1D007059FCB14DFA9C941AAEBBF4BF08314F10466EE4A6E72D1DB78A601CB65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00477D73 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00477D7A
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 00454035: __EH_prolog3.LIBCMT ref: 0045403C
                                                                                                                                • Part of subcall function 00454035: GetCurrentProcessId.KERNEL32(00000004), ref: 0045404C
                                                                                                                                • Part of subcall function 00444467: K32EnumProcesses.KERNEL32(?,00001000,?), ref: 004444B0
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000,00000000), ref: 00477DCF
                                                                                                                                • Part of subcall function 004445C9: GetCurrentProcessId.KERNEL32(00000000,?,00000000), ref: 004445EE
                                                                                                                                • Part of subcall function 004445C9: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000104,00000000,?,00000000), ref: 00444609
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,?,?), ref: 00477E01
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,?,?,?), ref: 00477E0A
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,?,?,?), ref: 00477E12
                                                                                                                              • lua_pushnil.LUA5.1(?), ref: 00477E58
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CurrentH_prolog3Processlua_pushstring.lua_remove.$EnumFileModuleNameProcesseslua_createtable.lua_getfield.lua_gettable.lua_pcall.lua_pushnil.lua_pushnumber.lua_settable.lua_type.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1919865280-0
                                                                                                                              • Opcode ID: 13e40c3d9f6643123b315f9e9e2dc89c8865023597f4eab6af70a68bcd927d84
                                                                                                                              • Instruction ID: 8b5e7d3f41d687c7750ffd1ab68f6b4b7d71d40aa2cc28677508ecf9e2ac103d
                                                                                                                              • Opcode Fuzzy Hash: 13e40c3d9f6643123b315f9e9e2dc89c8865023597f4eab6af70a68bcd927d84
                                                                                                                              • Instruction Fuzzy Hash: CA21A031808109ABCB04EFA5CD82AFEB774AF51318F50826FF525661D2DF3C5E05C6AA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0045237E Relevance: 9.1, APIs: 6, Instructions: 57stringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lstrlen$FolderFromH_prolog3_ListLocationMallocPathSpecial
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4010010178-0
                                                                                                                              • Opcode ID: c3bdc423bc906938b907a88840b19e00afc1d22f348758823d126643a4692fb8
                                                                                                                              • Instruction ID: 8cb992b7b7bb82ef99b9d4840fb322ab34d29d67bcb88919a0aaea9a5f9cae1b
                                                                                                                              • Opcode Fuzzy Hash: c3bdc423bc906938b907a88840b19e00afc1d22f348758823d126643a4692fb8
                                                                                                                              • Instruction Fuzzy Hash: 5721DBB590021C9FCF15DFA4CD89ADDBBB9BF49304F4040DAE509E7211CA749E858F94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004060C0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 213COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004060C7
                                                                                                                                • Part of subcall function 0041C803: __EH_prolog3.LIBCMT ref: 0041C80A
                                                                                                                                • Part of subcall function 0040CC44: __EH_prolog3.LIBCMT ref: 0040CC4B
                                                                                                                                • Part of subcall function 0040CC44: luaL_newstate.LUA5.1(000000FF,00000004,00406164,00000000,00000000,00000000,00000000,00000000,00000004), ref: 0040CC6A
                                                                                                                                • Part of subcall function 0040CC44: luaL_openlibs.LUA5.1(00000000,000000FF,00000004,00406164,00000000,00000000,00000000,00000000,00000000,00000004), ref: 0040CC7F
                                                                                                                                • Part of subcall function 0040CC44: lua_settop.LUA5.1(00000005,00000000,00000000,000000FF,00000004,00406164,00000000,00000000,00000000,00000000,00000000,00000004), ref: 0040CC88
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 00440899: __EH_prolog3.LIBCMT ref: 004408A0
                                                                                                                                • Part of subcall function 00419E06: __EH_prolog3.LIBCMT ref: 00419E0D
                                                                                                                                • Part of subcall function 00403687: __EH_prolog3.LIBCMT ref: 0040368E
                                                                                                                                • Part of subcall function 00453466: __EH_prolog3.LIBCMT ref: 0045346D
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              • __time64.LIBCMT ref: 004063D5
                                                                                                                                • Part of subcall function 005B5F5F: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00439F6A,00000000,00000010,00404C11,** [END] ProcessInBuffer !ReadFromDisk,00000001), ref: 005B5F6A
                                                                                                                                • Part of subcall function 005B5F5F: __aulldiv.LIBCMT ref: 005B5F8A
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$Time$FileL_newstate.L_openlibs.System__aulldiv__time64_strlenlua_settop.
                                                                                                                              • String ID: !$C:\temp\SUF_SFX_TEST\$Unknown
                                                                                                                              • API String ID: 3492532725-3646170354
                                                                                                                              • Opcode ID: fe8626150ef14a28e7e8cb209215f57995f0a3b284d4ed1177f0fe670d395b1f
                                                                                                                              • Instruction ID: 6514961cb838c387339fdeeb49d0c1aba93dcbc7a31ddbfc98c63869a35db57d
                                                                                                                              • Opcode Fuzzy Hash: fe8626150ef14a28e7e8cb209215f57995f0a3b284d4ed1177f0fe670d395b1f
                                                                                                                              • Instruction Fuzzy Hash: D2B16F74805B44DDD715EF75C591BDAFBE0AF25308F80485EA4AF63282CB783608DB6A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00495D98 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 190COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00495D9F
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                                • Part of subcall function 004A26F3: __EH_prolog3_GS.LIBCMT ref: 004A26FA
                                                                                                                                • Part of subcall function 0043A2C6: __EH_prolog3.LIBCMT ref: 0043A2CD
                                                                                                                                • Part of subcall function 004AADE0: __EH_prolog3.LIBCMT ref: 004AADE7
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$H_prolog3__malloc
                                                                                                                              • String ID: IDS_CTRL_BUTTON_BACK$IDS_CTRL_BUTTON_CANCEL$IDS_CTRL_BUTTON_HELP$IDS_CTRL_BUTTON_NEXT
                                                                                                                              • API String ID: 534863677-2679619293
                                                                                                                              • Opcode ID: 313f2a568404646e56cc717cf5c43d73db14a55be1ffd1d68af161b8c9e221fd
                                                                                                                              • Instruction ID: 8462461c20c031ecd194dd3403e519ade6fccd1fb8bf50a2e450e1a4d7074a14
                                                                                                                              • Opcode Fuzzy Hash: 313f2a568404646e56cc717cf5c43d73db14a55be1ffd1d68af161b8c9e221fd
                                                                                                                              • Instruction Fuzzy Hash: D07176B0D00706EBCB04EFAAC9525AEBBB5BF09724F10431EF125A72D1DB785611CBA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00425CFD Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 152windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00425D07
                                                                                                                                • Part of subcall function 0044A8A2: __EH_prolog3_GS.LIBCMT ref: 0044A8AC
                                                                                                                              • MessageBoxA.USER32(?,?,00000000,?), ref: 00425EF0
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3_$Message
                                                                                                                              • String ID: ERR_ARCHIVE_INTEGRITY$MSG_ERROR$Verify archive integrity
                                                                                                                              • API String ID: 3988267852-2868250619
                                                                                                                              • Opcode ID: 84b10cfb4a57cfc72ee97695ae962451a0d6f80154fadefb411c534e22b875d8
                                                                                                                              • Instruction ID: ff6cc2f4b6dbf86dd0907479ff0d022d817d4fa1bbd8b1d6086f1ddec9b10a7f
                                                                                                                              • Opcode Fuzzy Hash: 84b10cfb4a57cfc72ee97695ae962451a0d6f80154fadefb411c534e22b875d8
                                                                                                                              • Instruction Fuzzy Hash: CE515E70A001289FCB24DF59DD91AE9B7B5AF49324F4140EEE10DA72A2DB381E80CF59
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0041031A Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00410321
                                                                                                                                • Part of subcall function 004C6401: __EH_prolog3.LIBCMT ref: 004C6408
                                                                                                                                • Part of subcall function 004C6401: SetRectEmpty.USER32(?), ref: 004C64AA
                                                                                                                                • Part of subcall function 0040FF40: __EH_prolog3.LIBCMT ref: 0040FF47
                                                                                                                                • Part of subcall function 0040FF40: _strlen.LIBCMT ref: 0040FFE3
                                                                                                                                • Part of subcall function 0040F9BF: __EH_prolog3.LIBCMT ref: 0040F9C6
                                                                                                                                • Part of subcall function 0040F9BF: GetFileAttributesA.KERNEL32(?), ref: 0040FA3E
                                                                                                                                • Part of subcall function 0040F9BF: ExtractIconA.SHELL32(?,?,00000000), ref: 0040FA55
                                                                                                                                • Part of subcall function 0040F9BF: LoadIconA.USER32(?,00000073), ref: 0040FA75
                                                                                                                              • LoadCursorA.USER32(00000000,00007F00), ref: 004103F1
                                                                                                                                • Part of subcall function 004BF1C9: __snwprintf_s.LIBCMT ref: 004BF214
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                                • Part of subcall function 004C6877: LoadMenuA.USER32(?,?), ref: 004C6897
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3Load$Icon_strlen$AttributesCursorEmptyExtractFileH_prolog3_MenuRect__snwprintf_s
                                                                                                                              • String ID: %WindowTitle%$%WindowTitleUninstall%$Setup Application
                                                                                                                              • API String ID: 3136545289-4203591063
                                                                                                                              • Opcode ID: f91e1b498c191e012b1a5d13725df8fabee566653df4e890c35e2a8378b9b109
                                                                                                                              • Instruction ID: 544d9c7ea3191b2daf23db1e8ecc8cfacc3e720bf763c029d3feb3cc4f9b36ef
                                                                                                                              • Opcode Fuzzy Hash: f91e1b498c191e012b1a5d13725df8fabee566653df4e890c35e2a8378b9b109
                                                                                                                              • Instruction Fuzzy Hash: CD518470900644DFDB15EFA9C981AEEBBB8AF04318F54416FF115772D2DB782940CB69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00484FD9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00484FE0
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 00484584: __EH_prolog3.LIBCMT ref: 0048458B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: End deleting files$Failed to delete one or more files$Invalid source$Start deleting files
                                                                                                                              • API String ID: 431132790-3723306913
                                                                                                                              • Opcode ID: a7492b591834adcb8266a2f371cf5afcbd7a4feb1be4bd279d18b1cdcbe1c022
                                                                                                                              • Instruction ID: 14a6b71bee0dca5d46d573b660f33e22b0ab86944e05c0a735af55a5f0395c75
                                                                                                                              • Opcode Fuzzy Hash: a7492b591834adcb8266a2f371cf5afcbd7a4feb1be4bd279d18b1cdcbe1c022
                                                                                                                              • Instruction Fuzzy Hash: 4121C6707006019BCB18BF69C89696E7BF2AF88714700851FF1479B3D1DF38AD018B9A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0040F386 Relevance: 7.6, APIs: 5, Instructions: 113COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetSystemMetrics.USER32(00000000), ref: 0040F42B
                                                                                                                              • GetSystemMetrics.USER32(00000001), ref: 0040F43A
                                                                                                                              • IsWindow.USER32(?), ref: 0040F464
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MetricsSystem$Window
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1155976603-0
                                                                                                                              • Opcode ID: afecd68ca6e348e64a7a443643295b229eb7b6362a79f76510021dfaacd6730f
                                                                                                                              • Instruction ID: 99e93b408323617b140028d8ed73d71b4ff401aeca781491c7eaaa0bbbc0a8d2
                                                                                                                              • Opcode Fuzzy Hash: afecd68ca6e348e64a7a443643295b229eb7b6362a79f76510021dfaacd6730f
                                                                                                                              • Instruction Fuzzy Hash: 394157B1900705AFDB20DF78C984A4BBBF8FB14314F14863AE9459BA90D738E908CB94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004B0433 Relevance: 7.6, APIs: 5, Instructions: 61windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetClientRect.USER32(?,?), ref: 004B0462
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 004B047B
                                                                                                                                • Part of subcall function 004B791F: ScreenToClient.USER32(?,?), ref: 004B7930
                                                                                                                                • Part of subcall function 004B791F: ScreenToClient.USER32(?,?), ref: 004B793D
                                                                                                                                • Part of subcall function 004B871B: GetDlgItem.USER32(?,?), ref: 004B872C
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 004B0498
                                                                                                                              • LoadIconA.USER32(?,00000073), ref: 004B04BE
                                                                                                                              • SendMessageA.USER32(?,00000080,00000000,00000000), ref: 004B04CF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ClientRect$ScreenWindow$IconItemLoadMessageSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1742658178-0
                                                                                                                              • Opcode ID: 6415d357f28b8735c1df4822b593f97f1f05ea4c1186fa1bb5e0e786ec7e2ad5
                                                                                                                              • Instruction ID: c8ff9c2ea82d51ed1613ef4a00d2e19e05506b3ba2256031696dc6e2f9793490
                                                                                                                              • Opcode Fuzzy Hash: 6415d357f28b8735c1df4822b593f97f1f05ea4c1186fa1bb5e0e786ec7e2ad5
                                                                                                                              • Instruction Fuzzy Hash: 51115BB1A00208AFDB10EF79CC45EEEBBF9FF48304F00446AE58693561DA34AA008B64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004D496A Relevance: 7.6, APIs: 5, Instructions: 54stringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • lstrlen.KERNEL32(00000001,00000000,?,?), ref: 004D4996
                                                                                                                              • _memset.LIBCMT ref: 004D49B3
                                                                                                                              • GetWindowTextA.USER32(?,00000000,00000100), ref: 004D49CD
                                                                                                                              • lstrcmp.KERNEL32(00000000,00000001), ref: 004D49DF
                                                                                                                              • SetWindowTextA.USER32(?,00000001), ref: 004D49EB
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4273134663-0
                                                                                                                              • Opcode ID: 4a92289861294db0525a6efe15941e1c76e387b3e9cad5eb7d5ecf87a0a3a65b
                                                                                                                              • Instruction ID: 75a2df91f8a76a76aa9e37672bf7bc5b03bc6f616c9716464034dcf6c86f78cb
                                                                                                                              • Opcode Fuzzy Hash: 4a92289861294db0525a6efe15941e1c76e387b3e9cad5eb7d5ecf87a0a3a65b
                                                                                                                              • Instruction Fuzzy Hash: 2C01D6B6601114ABDB20AF759C95FEF77ADEB85740F0000A7F546D3241EA789E448BB4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0040F6C6 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetSystemMenu.USER32(?,00000000,?,?,?), ref: 0040F6E5
                                                                                                                              • RemoveMenu.USER32(?,0000F000,00000000,00000000,?,?,?), ref: 0040F706
                                                                                                                              • RemoveMenu.USER32(?,0000F010,00000000,?,?,?), ref: 0040F711
                                                                                                                              • RemoveMenu.USER32(?,0000F030,00000000,?,?,?), ref: 0040F71C
                                                                                                                              • RemoveMenu.USER32(?,0000F020,00000000,?,?,?), ref: 0040F727
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Menu$Remove$System
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1817084541-0
                                                                                                                              • Opcode ID: e76d138b187e25983bf8500d474f56c6bfb23f262933950599fa275c92b43fc6
                                                                                                                              • Instruction ID: 018801e066f95afbb0997612c77401e111a54cf50fcf1850825ebb964a22665e
                                                                                                                              • Opcode Fuzzy Hash: e76d138b187e25983bf8500d474f56c6bfb23f262933950599fa275c92b43fc6
                                                                                                                              • Instruction Fuzzy Hash: AEF09C715001197FD7301BB1DC45D3BBE1DFB043F47004537B614628A1C671AC10E694
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00437565 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 332COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0043756C
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0040C578: lua_getfield.LUA5.1(0000C264,FFFFD8EE,?,80000000,?,?,00403F08,?), ref: 0040C58C
                                                                                                                                • Part of subcall function 0040C578: lua_isnumber.LUA5.1(0000C264,000000FF,0000C264,FFFFD8EE,?,80000000,?,?,00403F08,?), ref: 0040C596
                                                                                                                                • Part of subcall function 0040C578: lua_tonumber.LUA5.1(0000C264,000000FF), ref: 0040C5A7
                                                                                                                                • Part of subcall function 0040C578: lua_remove.LUA5.1(0000C264,000000FF), ref: 0040C5BA
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C22E
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                                • Part of subcall function 004278AD: __EH_prolog3.LIBCMT ref: 004278B4
                                                                                                                              Strings
                                                                                                                              • MSG_PROG_CHECKING_FILES, xrefs: 004375C5
                                                                                                                              • INSTALL_STAGE_PREPARING, xrefs: 0043758E
                                                                                                                              • MSG_PROG_CHECKING_DRIVESPACE, xrefs: 0043788B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$Exception@8Throwlua_getfield.lua_isnumber.lua_remove.lua_tonumber.
                                                                                                                              • String ID: INSTALL_STAGE_PREPARING$MSG_PROG_CHECKING_DRIVESPACE$MSG_PROG_CHECKING_FILES
                                                                                                                              • API String ID: 2982315526-2391240801
                                                                                                                              • Opcode ID: 058e34f6c871d464848eb2de10ebb241af4334e5f1b45abcef70c2f60c606445
                                                                                                                              • Instruction ID: 341226f509a2c4e3a0d9add75a64ff10c40779562ccd6fd4e06d73a157241031
                                                                                                                              • Opcode Fuzzy Hash: 058e34f6c871d464848eb2de10ebb241af4334e5f1b45abcef70c2f60c606445
                                                                                                                              • Instruction Fuzzy Hash: 84C13FB0E042059FCB14DFA9C886AEE77B5FF49324F04456EF455A7392CB38A801CB69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00406952 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 330fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00406959
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 004067BC: __EH_prolog3_GS.LIBCMT ref: 004067C6
                                                                                                                                • Part of subcall function 004067BC: GetTempPathA.KERNEL32(00000104,?), ref: 00406806
                                                                                                                                • Part of subcall function 004067BC: _strlen.LIBCMT ref: 00406862
                                                                                                                                • Part of subcall function 004067BC: GetTempFileNameA.KERNEL32(?,sufun,00000000,?,tmp,00000000), ref: 0040688A
                                                                                                                                • Part of subcall function 004067BC: _strlen.LIBCMT ref: 0040689B
                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080,?,?,00000001,00001000,00000000,?,00008000,00000000,00000000,00000000,00000078), ref: 00406DA0
                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 00406DA9
                                                                                                                                • Part of subcall function 004C213C: __EH_prolog3_catch_GS.LIBCMT ref: 004C2146
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: File$H_prolog3Temp_strlen$AttributesDeleteH_prolog3_H_prolog3_catch_NamePath
                                                                                                                              • String ID: Constants
                                                                                                                              • API String ID: 2974014962-289176987
                                                                                                                              • Opcode ID: db7b0347c894976e575fb99079ecdbe9aede5b514061fbe6e5c9576477d9b5d9
                                                                                                                              • Instruction ID: 9d4199288d0bf3aa795d17ba980c8f5fd9b737e6d8b057213c53f69c96193bbb
                                                                                                                              • Opcode Fuzzy Hash: db7b0347c894976e575fb99079ecdbe9aede5b514061fbe6e5c9576477d9b5d9
                                                                                                                              • Instruction Fuzzy Hash: 09E15C7090020ADFCB14DBA4C884EEEB7B5BF54308F14859EF15AA72A2DB386A44CB54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004458D4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 152registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004458DB
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • RegQueryValueExA.KERNEL32(?,00000000,00000000,?,00000000,?,00000000,NoName,0000000C,00446312,00000000,?,00000000,00000006,00000000,?), ref: 00445994
                                                                                                                              • RegQueryValueExA.KERNEL32(?,00000000,00000000,?,?,?,00000000,000000FF,?,00451A65,00000000,?,00000000,00020019,00000000,00000000), ref: 00445A01
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3QueryValue
                                                                                                                              • String ID: NoName
                                                                                                                              • API String ID: 2373586757-1084695559
                                                                                                                              • Opcode ID: 6c34fb76c86a00a4e2aa3f5d976652e994c8d19a540bc29317e12c21211d2dd5
                                                                                                                              • Instruction ID: aaa8586c3ea0bdd6543efa0fcfa3e2751c87d85623b07de9ca53c83627b2a8eb
                                                                                                                              • Opcode Fuzzy Hash: 6c34fb76c86a00a4e2aa3f5d976652e994c8d19a540bc29317e12c21211d2dd5
                                                                                                                              • Instruction Fuzzy Hash: 78514DB190060AAFDF14DFA5C8D19BFB7B4EF14318B50462EF516A7291DB38AE40CB58
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0049B2E6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0049B2ED
                                                                                                                                • Part of subcall function 00495D98: __EH_prolog3.LIBCMT ref: 00495D9F
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_malloc
                                                                                                                              • String ID: IDS_CTRL_HEADINGTEXT_BODY$IDS_CTRL_STATICTEXT_BODY$d
                                                                                                                              • API String ID: 1683881009-1169261666
                                                                                                                              • Opcode ID: 0e49c189689075ad5c9071e6bce8f52527e3f06028edf8a2100be12d4735ec86
                                                                                                                              • Instruction ID: 939313588ecb4c4ef44c195ab12a574873ca2e876672acbcac578cb8929b0269
                                                                                                                              • Opcode Fuzzy Hash: 0e49c189689075ad5c9071e6bce8f52527e3f06028edf8a2100be12d4735ec86
                                                                                                                              • Instruction Fuzzy Hash: DB41D670900705DBCB24EFAAC8526AFBBF4BF45324F10471EE166A72D1CB785604CBA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0043F3CE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0043F3D5
                                                                                                                              • __time64.LIBCMT ref: 0043F3EE
                                                                                                                                • Part of subcall function 005B5F5F: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00439F6A,00000000,00000010,00404C11,** [END] ProcessInBuffer !ReadFromDisk,00000001), ref: 005B5F6A
                                                                                                                                • Part of subcall function 005B5F5F: __aulldiv.LIBCMT ref: 005B5F8A
                                                                                                                                • Part of subcall function 0043F322: __EH_prolog3_GS.LIBCMT ref: 0043F329
                                                                                                                                • Part of subcall function 0043F322: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043F371
                                                                                                                                • Part of subcall function 0043F322: __fassign.LIBCMT ref: 0043F389
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Time$FileH_prolog3H_prolog3_System__aulldiv__fassign__time64_strlenlstrlen
                                                                                                                              • String ID: %CompanyName%$%CompanyURL%
                                                                                                                              • API String ID: 1881766755-3998575189
                                                                                                                              • Opcode ID: e5fca4b182f9d04d1902db677f768de7da90307287cfdf4abb7f82b6b7b4ebdd
                                                                                                                              • Instruction ID: 5105b56d9845c78cd6ddb4c145b052a05579c23c92088d19a4647a4d7cda0493
                                                                                                                              • Opcode Fuzzy Hash: e5fca4b182f9d04d1902db677f768de7da90307287cfdf4abb7f82b6b7b4ebdd
                                                                                                                              • Instruction Fuzzy Hash: AB215CB0800B048FC724EF66C9929ABFBF4FF98714B504A2EE09793A91DB74B544CB10
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00440F9B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00440FA2
                                                                                                                                • Part of subcall function 004B876E: SetDlgItemTextA.USER32(?,?,?), ref: 004B8782
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C22E
                                                                                                                              • _strlen.LIBCMT ref: 00441027
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$ItemText_strlen
                                                                                                                              • String ID: Initializing...$MSG_INITIALIZING
                                                                                                                              • API String ID: 1130358893-1400418863
                                                                                                                              • Opcode ID: 16310ed88656a9a50074d9262547ca357c85c05452cc7fd456dcfed9c01ef119
                                                                                                                              • Instruction ID: 9896458aaf37dde6f64fe3894bdde2d3e15da1e2c5a5a8e75fe77b1b501d87ee
                                                                                                                              • Opcode Fuzzy Hash: 16310ed88656a9a50074d9262547ca357c85c05452cc7fd456dcfed9c01ef119
                                                                                                                              • Instruction Fuzzy Hash: D711CE31910116ABDB08F7B5CD52BFE7769AF91318F50052EB412B72D2CE382A01C679
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00458F0C Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCurrentProcess.KERNEL32(00000008,?,76A1F010,?,004591AF), ref: 00458F1C
                                                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,004591AF), ref: 00458F23
                                                                                                                              • GetTokenInformation.KERNELBASE(?,00000012(TokenIntegrityLevel),004591AF,00000004,?,?,004591AF), ref: 00458F3C
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,004591AF), ref: 00458F5D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 215268677-0
                                                                                                                              • Opcode ID: f32db9fc75154aff66f02febb6651cb6a121f115b1c4b79ef1ccc234c40b3c44
                                                                                                                              • Instruction ID: 32246bd4c572361810724ea4bb94f376156821456e6dd3e1cf620288d564cc5e
                                                                                                                              • Opcode Fuzzy Hash: f32db9fc75154aff66f02febb6651cb6a121f115b1c4b79ef1ccc234c40b3c44
                                                                                                                              • Instruction Fuzzy Hash: 31F062B2500118ABDF509BA1DC49A9FB77EEB08742F005056AD05F2191DF348F0CD798
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00405462 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 220COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeH_prolog3Library
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1631603194-3916222277
                                                                                                                              • Opcode ID: 99b72b9934228aff5a59330d7ccee98977775f9817a4ba57e08b2fceee69ea51
                                                                                                                              • Instruction ID: 2cddbf5fc9d1921f82863c8cac73a1eedda5caccbc21eb6de35e5e82688cc2bb
                                                                                                                              • Opcode Fuzzy Hash: 99b72b9934228aff5a59330d7ccee98977775f9817a4ba57e08b2fceee69ea51
                                                                                                                              • Instruction Fuzzy Hash: DFA19F34500B44DBDB14EBB5C595BEEB7A1AF65304F40896ED49BA32C2DF3CAA04CB19
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004262C2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004262C9
                                                                                                                                • Part of subcall function 0043A00F: __EH_prolog3.LIBCMT ref: 0043A016
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: Global include script: %s$Include script:
                                                                                                                              • API String ID: 431132790-2954161150
                                                                                                                              • Opcode ID: 6f7b91ace1ad39ad5f8025a1a43fc186ca4ba94b97e2eb3059607a0d99d1eea8
                                                                                                                              • Instruction ID: a6da63d34b4f1b8e2307afa6a16e9cce30dc3c7d8fa72cb4c6072385dfcb1110
                                                                                                                              • Opcode Fuzzy Hash: 6f7b91ace1ad39ad5f8025a1a43fc186ca4ba94b97e2eb3059607a0d99d1eea8
                                                                                                                              • Instruction Fuzzy Hash: A551B371E00109DFCB04EFA9D982AAEB7B4AF15324F55416EF151A73D2DB38AD00CB69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0043B5E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 004150D3: __EH_prolog3.LIBCMT ref: 004150DA
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0043B68E
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415183
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415210
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415231
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _strlen$H_prolog3
                                                                                                                              • String ID: Messages$SUF70Messages
                                                                                                                              • API String ID: 2883720156-3546710208
                                                                                                                              • Opcode ID: 181ffe2da18e5b587a705d300779f15bb3274006208cd4a4a80a239d5c320e53
                                                                                                                              • Instruction ID: b4199b725145aa4922ddda2a54367824652d058e283d71b41ee2e88a8f515c0c
                                                                                                                              • Opcode Fuzzy Hash: 181ffe2da18e5b587a705d300779f15bb3274006208cd4a4a80a239d5c320e53
                                                                                                                              • Instruction Fuzzy Hash: 8011C6717002049BDB14BB768C53FAF6699DF88B14F11543FBA069B283DA289C44C7EA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004357CD Relevance: 4.7, APIs: 3, Instructions: 158COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004357D4
                                                                                                                                • Part of subcall function 00405C53: __EH_prolog3.LIBCMT ref: 00405C5A
                                                                                                                                • Part of subcall function 00405C53: lua_getfield.LUA5.1(?,FFFFD8EE,SetupData,?,?,?,00000000,00000004), ref: 00405C9A
                                                                                                                                • Part of subcall function 00405C53: lua_type.LUA5.1(?,000000FF,?,FFFFD8EE,SetupData,?,?,?,00000000,00000004), ref: 00405CA2
                                                                                                                                • Part of subcall function 00405C53: lua_pushstring.LUA5.1(?,GetAppShortcutFolderPath), ref: 00405CB5
                                                                                                                                • Part of subcall function 00405C53: lua_gettable.LUA5.1(?,000000FE,?,GetAppShortcutFolderPath), ref: 00405CBD
                                                                                                                                • Part of subcall function 00405C53: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,GetAppShortcutFolderPath), ref: 00405CC5
                                                                                                                                • Part of subcall function 00405C53: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,GetAppShortcutFolderPath), ref: 00405CCD
                                                                                                                                • Part of subcall function 00405C53: lua_pcall.LUA5.1(?,00000000,00000001,00000000), ref: 00405CDF
                                                                                                                                • Part of subcall function 00405C53: lua_isstring.LUA5.1(?,000000FF), ref: 00405CEE
                                                                                                                                • Part of subcall function 00405C53: lua_tolstring.LUA5.1(?,000000FF,00000000), ref: 00405CFD
                                                                                                                                • Part of subcall function 00405C53: lua_settop.LUA5.1(?,00000000), ref: 00405D21
                                                                                                                              • SHChangeNotify.SHELL32(00000008,00000001,?,00000000), ref: 004358B5
                                                                                                                              • SHChangeNotify.SHELL32(00001000,00000001,?,00000000), ref: 00435986
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$ChangeNotifylua_type.$Exception@8Throwlua_getfield.lua_gettable.lua_isstring.lua_pcall.lua_pushstring.lua_remove.lua_settop.lua_tolstring.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2376141247-0
                                                                                                                              • Opcode ID: 16725aae54bf8a05049745d3144639e1357b35ea704f9943fb28d9ab89561330
                                                                                                                              • Instruction ID: f02e862ee6a469edd215d1f42420aaa1e4481b8540a8c68394833c54e9d06668
                                                                                                                              • Opcode Fuzzy Hash: 16725aae54bf8a05049745d3144639e1357b35ea704f9943fb28d9ab89561330
                                                                                                                              • Instruction Fuzzy Hash: C2512C71E00542CFCF18EBA4C881ABEB771AF48314F19906FE5452B392DB389D41CB99
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005725E8 Relevance: 4.6, APIs: 3, Instructions: 123COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              • _memset.LIBCMT ref: 00572651
                                                                                                                              • _memset.LIBCMT ref: 00572681
                                                                                                                              • _memset.LIBCMT ref: 00572700
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memset$Exception@8H_prolog3Throw
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3954392632-0
                                                                                                                              • Opcode ID: dfb8f1502ec594f49237b4172233581e2204fa0bd7f90ccdfaab0878f7964187
                                                                                                                              • Instruction ID: 57e4627e674aa0b94908f84f376420d6d7a1425f19b847318f5c1cd90d1e1cf4
                                                                                                                              • Opcode Fuzzy Hash: dfb8f1502ec594f49237b4172233581e2204fa0bd7f90ccdfaab0878f7964187
                                                                                                                              • Instruction Fuzzy Hash: 9A41D1B1700B019BDB249E6AD881B677BE9FF80354F20C92EF55ECB641EA34F9419B50
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004D2861 Relevance: 4.6, APIs: 3, Instructions: 117COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              • _memset.LIBCMT ref: 004D28B4
                                                                                                                              • _memset.LIBCMT ref: 004D28DD
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                              • _memset.LIBCMT ref: 004D2964
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memset$Exception@8H_prolog3Throw_malloc
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2916024377-0
                                                                                                                              • Opcode ID: f24e0b82de37896257f43158a9d79aaadf10faca8b6ae6627d0305b4c13d7e44
                                                                                                                              • Instruction ID: 9428f07e5876b9ac1f91ec52ee5f2dc89a956b587546566e78f593d03493d2e7
                                                                                                                              • Opcode Fuzzy Hash: f24e0b82de37896257f43158a9d79aaadf10faca8b6ae6627d0305b4c13d7e44
                                                                                                                              • Instruction Fuzzy Hash: 023103B17007019BD720AF6ACDE1A1BBBE5EB90354B10C92FF15ADB701D6B9E940CB54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004C26B9 Relevance: 4.6, APIs: 3, Instructions: 109COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              • _memset.LIBCMT ref: 004C270B
                                                                                                                              • _memset.LIBCMT ref: 004C2730
                                                                                                                              • _memset.LIBCMT ref: 004C27A8
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memset$Exception@8H_prolog3Throw
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3954392632-0
                                                                                                                              • Opcode ID: cca0cfb1f7e56783b001057b2dbf6859836dc4f60ac66284293b3ba2ab0235d8
                                                                                                                              • Instruction ID: fa06b2c8758a7909894c4313d8569ec7728d4a5dec69a9af1b24ad551cccc6ac
                                                                                                                              • Opcode Fuzzy Hash: cca0cfb1f7e56783b001057b2dbf6859836dc4f60ac66284293b3ba2ab0235d8
                                                                                                                              • Instruction Fuzzy Hash: 1E31F6796007019BDB20AF2ACEC1E5B7AE5EB80758B10C43FE51ACB611D6F8E9418B58
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00445632 Relevance: 4.6, APIs: 3, Instructions: 101registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00445639
                                                                                                                                • Part of subcall function 0044555A: __EH_prolog3.LIBCMT ref: 00445561
                                                                                                                                • Part of subcall function 0044555A: RegConnectRegistryA.ADVAPI32(00000000,80000001,?), ref: 004455E3
                                                                                                                              • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,?,00000000,?,00000008,00451A49,00000000,00020019,00000000), ref: 004456EA
                                                                                                                              • RegOpenKeyExA.KERNEL32(?,?,?,?,?,?,00000008,00451A49,00000000,00020019,00000000,00000000,00000000,00000000,?,0000005C), ref: 0044572A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$ConnectCreateOpenRegistry
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1903319790-0
                                                                                                                              • Opcode ID: 6cb1f7e5de44f9a705ba83b996efca93034e4766672fef9e5a95f2a2f325535d
                                                                                                                              • Instruction ID: 8b76dfa91d09497acb607cc84b412dd7995ac2c98ebe4b08f0be69fc36592031
                                                                                                                              • Opcode Fuzzy Hash: 6cb1f7e5de44f9a705ba83b996efca93034e4766672fef9e5a95f2a2f325535d
                                                                                                                              • Instruction Fuzzy Hash: 6831917150050AEFDF14EFA5C891AAE7BB5FF18314B10462EF416A72E1DB38AA11CB54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00444467 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • K32EnumProcesses.KERNEL32(?,00001000,?), ref: 004444B0
                                                                                                                              • _memset.LIBCMT ref: 00444526
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00444562
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseEnumHandleProcesses_memset
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 716639067-0
                                                                                                                              • Opcode ID: 98e159adcf41f94d7fba03eab9677cbe43c1ddb8154a627813625bb765e53ec3
                                                                                                                              • Instruction ID: 9fc98dbffeb1dcd6ea9409312b49427caa0fd5a2fa9704ace820c8fda7a7ad1d
                                                                                                                              • Opcode Fuzzy Hash: 98e159adcf41f94d7fba03eab9677cbe43c1ddb8154a627813625bb765e53ec3
                                                                                                                              • Instruction Fuzzy Hash: D131CF30600614ABEB24DF65DC85AEB77F8FB89749B00446AE646C2151EB78EA448B28
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00449EEE Relevance: 4.6, APIs: 3, Instructions: 83timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __time64.LIBCMT ref: 00449F08
                                                                                                                                • Part of subcall function 005B5F5F: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00439F6A,00000000,00000010,00404C11,** [END] ProcessInBuffer !ReadFromDisk,00000001), ref: 005B5F6A
                                                                                                                                • Part of subcall function 005B5F5F: __aulldiv.LIBCMT ref: 005B5F8A
                                                                                                                              • FileTimeToLocalFileTime.KERNEL32(00000001,?,?), ref: 00449F18
                                                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00449F2E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Time$File$System$Local__aulldiv__time64
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1325953181-0
                                                                                                                              • Opcode ID: 7d5eda5d7c17afcaa90afc124eb34680b6a17d4e7f5dbb10a19980429e78bceb
                                                                                                                              • Instruction ID: 137103f93c3a36310d6fcee4b1bc602af07ef2b4b6b640045022c8db07218818
                                                                                                                              • Opcode Fuzzy Hash: 7d5eda5d7c17afcaa90afc124eb34680b6a17d4e7f5dbb10a19980429e78bceb
                                                                                                                              • Instruction Fuzzy Hash: ED217A71A00219AADB188FA8D8416FFB7F8AF08711F10412FF816E6280FB38DD44DB58
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0043F322 Relevance: 4.6, APIs: 3, Instructions: 52stringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0043F329
                                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043F371
                                                                                                                              • __fassign.LIBCMT ref: 0043F389
                                                                                                                                • Part of subcall function 005B7CE6: __wcstombs_l_helper.LIBCMT ref: 005B7CF6
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                                • Part of subcall function 00405AB7: __mbsinc.LIBCMT ref: 00405AF2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3___fassign__mbsinc__wcstombs_l_helper_strlenlstrlen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3507903230-0
                                                                                                                              • Opcode ID: bae7098e8de5e4521b4184293ed22974e0d8bac9042f097458197bcfa5bbe6ce
                                                                                                                              • Instruction ID: 01b4a8a456310bc556cf941e9091665af5c5593e7d5aafa74801d30152924d29
                                                                                                                              • Opcode Fuzzy Hash: bae7098e8de5e4521b4184293ed22974e0d8bac9042f097458197bcfa5bbe6ce
                                                                                                                              • Instruction Fuzzy Hash: 71114CB1904108EBCB01AFA5CD49ADDBAF9AF8C308F50405AF001B7252DB796E008BA9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004C1959 Relevance: 4.5, APIs: 3, Instructions: 37windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetMessageA.USER32(00000030,00000000,00000000,00000000), ref: 004C1927
                                                                                                                              • TranslateMessage.USER32(00000030), ref: 004C1946
                                                                                                                              • DispatchMessageA.USER32(00000030), ref: 004C194D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Message$DispatchTranslate
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1706434739-0
                                                                                                                              • Opcode ID: aa67f5c3532f9ed918bb61762df46c0d23c030e8761d42cb2870a2cf1cd8128f
                                                                                                                              • Instruction ID: 3a48fe3be2e58022b0479d476e5cf68954e2b1d9cd1a068b3aa2f2b679990756
                                                                                                                              • Opcode Fuzzy Hash: aa67f5c3532f9ed918bb61762df46c0d23c030e8761d42cb2870a2cf1cd8128f
                                                                                                                              • Instruction Fuzzy Hash: E5F054793141019B97A56B21AD58F3F37ADEF83715305945FF402DA521DB3CDD02C625
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005D78BB Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,00000000,005D7DB0), ref: 005D78E5
                                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,005D7DB0), ref: 005D78EF
                                                                                                                              • RtlInitializeCriticalSection.NTDLL(00766CDC), ref: 005D78F8
                                                                                                                                • Part of subcall function 005D77A8: __EH_prolog3.LIBCMT ref: 005D77AF
                                                                                                                                • Part of subcall function 005D77A8: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,00000008,005D790B,?,00000000,005D7DB0), ref: 005D7859
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateEvent$CriticalH_prolog3InitializeSection
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 853632984-0
                                                                                                                              • Opcode ID: 74f18d164a49f984b0b99c8118f0e208d626ed1b16c55c559a80bde23efdfc0f
                                                                                                                              • Instruction ID: 2098cc38ac30defdec77c0c00120e7876c1919a2f17b11f2b2b41c875d04ac40
                                                                                                                              • Opcode Fuzzy Hash: 74f18d164a49f984b0b99c8118f0e208d626ed1b16c55c559a80bde23efdfc0f
                                                                                                                              • Instruction Fuzzy Hash: 3CF030B25047546FD7219FAE9C84D57BBEDFB48714B40442FF18AC3650EAB5B8408B64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005B99D9 Relevance: 4.5, APIs: 3, Instructions: 19COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __getptd.LIBCMT ref: 005B99E5
                                                                                                                                • Part of subcall function 005C093E: __getptd_noexit.LIBCMT ref: 005C0941
                                                                                                                                • Part of subcall function 005C093E: __amsg_exit.LIBCMT ref: 005C094E
                                                                                                                              • __endthreadex.LIBCMT ref: 005B99F5
                                                                                                                                • Part of subcall function 005B99BA: __getptd_noexit.LIBCMT ref: 005B99BF
                                                                                                                                • Part of subcall function 005B99BA: __freeptd.LIBCMT ref: 005B99C9
                                                                                                                                • Part of subcall function 005B99BA: RtlExitUserThread.NTDLL(?,?,005B99FA,00000000), ref: 005B99D2
                                                                                                                                • Part of subcall function 005B99BA: __XcptFilter.LIBCMT ref: 005B9A06
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__endthreadex__freeptd__getptd
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4175385852-0
                                                                                                                              • Opcode ID: 0f845f3f70725221d37237fa4b6275f3d2e7307b0e17be4a80889d17d95b1443
                                                                                                                              • Instruction ID: f6b0f23288c684e4ba658460e8918f9fb5ab2923cc7bb97a4101bc6ba6eebf78
                                                                                                                              • Opcode Fuzzy Hash: 0f845f3f70725221d37237fa4b6275f3d2e7307b0e17be4a80889d17d95b1443
                                                                                                                              • Instruction Fuzzy Hash: EEE0ECB19456059FEB08EBA0C85AF6D7F65FF85701F21404CF2015B2A2CA79AD40DF21
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004049DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 145COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 004049E1
                                                                                                                                • Part of subcall function 0040962D: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,00403CB6,?,?,?,?,?,?,00000000), ref: 0040964D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FileH_prolog3_catchPointer
                                                                                                                              • String ID: %s.%d
                                                                                                                              • API String ID: 1029581113-645285463
                                                                                                                              • Opcode ID: 2cf28d0d7dbde8d696b693a3b024b2cc82cbbe99989841bf7c5819284448bd2d
                                                                                                                              • Instruction ID: f6bfabe15112e10d2021aedb37b825e30a7ba2fe20c25d73c94819169403aa61
                                                                                                                              • Opcode Fuzzy Hash: 2cf28d0d7dbde8d696b693a3b024b2cc82cbbe99989841bf7c5819284448bd2d
                                                                                                                              • Instruction Fuzzy Hash: B15160B1900609DFCB14DFA4C981AAFB7B4BF84314F10452EE566B76C1CB38BA00CB59
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00403DC6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 00403DCD
                                                                                                                                • Part of subcall function 00441FC9: __EH_prolog3.LIBCMT ref: 00441FD0
                                                                                                                              Strings
                                                                                                                              • INSTALL_STAGE_INSTALLING_FILES, xrefs: 00403EED
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3H_prolog3_catch
                                                                                                                              • String ID: INSTALL_STAGE_INSTALLING_FILES
                                                                                                                              • API String ID: 1882928916-3727005748
                                                                                                                              • Opcode ID: 1413fb76772e08c3e8769e13a17ba786b31767eb109b1939fb073a1e69c15c79
                                                                                                                              • Instruction ID: 4c4b225032fc98407ecc922abed6584a764cdc155a9d17f40ffa592a14ad15ef
                                                                                                                              • Opcode Fuzzy Hash: 1413fb76772e08c3e8769e13a17ba786b31767eb109b1939fb073a1e69c15c79
                                                                                                                              • Instruction Fuzzy Hash: 3F516771D1060A9BCB14DFA6C8556EEBBF1FF48322F20851DE452B76A0DB386A05CF94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00405D33 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: --@@
                                                                                                                              • API String ID: 431132790-3308024793
                                                                                                                              • Opcode ID: 78ceb95e7cfcb1bc6b59dba87163bc5351280eb06869bca0bf503ec8fc5a9fda
                                                                                                                              • Instruction ID: ac2b5ca2e8aad6e44eb1495fd6908b05e63b1d67ac6e56c3b5bf998b027f2299
                                                                                                                              • Opcode Fuzzy Hash: 78ceb95e7cfcb1bc6b59dba87163bc5351280eb06869bca0bf503ec8fc5a9fda
                                                                                                                              • Instruction Fuzzy Hash: 373164719005099BCB04EBF8C856AEF7768AF25328F14835EB526B72D2DB386604CB65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004B3C8A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _malloc.LIBCMT ref: 004B3CA8
                                                                                                                                • Part of subcall function 005B4B83: __FF_MSGBANNER.LIBCMT ref: 005B4B9C
                                                                                                                                • Part of subcall function 005B4B83: __NMSG_WRITE.LIBCMT ref: 005B4BA3
                                                                                                                                • Part of subcall function 005B4B83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 005B4BC8
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocateHeap_malloc
                                                                                                                              • String ID: n<K
                                                                                                                              • API String ID: 501242067-804642527
                                                                                                                              • Opcode ID: 70ccda7115b5538b9a355c173a85d747d9f10a4687382083b19c9700fd6030eb
                                                                                                                              • Instruction ID: 425f89b3e108cb1748da0adde01facfce3b2915990464791145b534aac679131
                                                                                                                              • Opcode Fuzzy Hash: 70ccda7115b5538b9a355c173a85d747d9f10a4687382083b19c9700fd6030eb
                                                                                                                              • Instruction Fuzzy Hash: BBD0C23320811E675A211ED6DC005D6BF68AB817B13054022BC04E6210EA15DE0146E8
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00444138 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FreeLibrary.KERNEL32(00000000,00000000), ref: 00444151
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeLibrary
                                                                                                                              • String ID: +DD
                                                                                                                              • API String ID: 3664257935-788365211
                                                                                                                              • Opcode ID: 7fa69a98f222113d5d6a5682390afbc78be1dae08846f69be65ebfc48afb6bc1
                                                                                                                              • Instruction ID: cb3643c5b2b4d7173b6a84c2f193ec15d5db4b101370a3427a0e7ffe636a3bd2
                                                                                                                              • Opcode Fuzzy Hash: 7fa69a98f222113d5d6a5682390afbc78be1dae08846f69be65ebfc48afb6bc1
                                                                                                                              • Instruction Fuzzy Hash: 45D0C9795102108BF7118F22EC0D71236A9B7A6726F40C85BD4118A1A0C7FDC884CF28
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0043FB28 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryA.KERNEL32(UxTheme.dll), ref: 0043FB3A
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: LibraryLoad
                                                                                                                              • String ID: UxTheme.dll
                                                                                                                              • API String ID: 1029625771-352951104
                                                                                                                              • Opcode ID: e22393b03e469b2d5d625147a5e59620f4a3889966a02facf619b83408b1e9d6
                                                                                                                              • Instruction ID: 0d1182f4eae971cf662eb17ef7ed9b1b947267e5cd31cab848660cfb067bf13b
                                                                                                                              • Opcode Fuzzy Hash: e22393b03e469b2d5d625147a5e59620f4a3889966a02facf619b83408b1e9d6
                                                                                                                              • Instruction Fuzzy Hash: 69C08C712123208FE3606F18AC06385BAE9EB87B2AF01A41FE899C3700C3B46C008F84
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00409082 Relevance: 3.2, APIs: 2, Instructions: 173COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memset
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2102423945-0
                                                                                                                              • Opcode ID: e6244bb53d62b9827d2097a900e9ea0134b4e67a69c837c7211b87c66968b982
                                                                                                                              • Instruction ID: 623ab72a5c3815ca52f40d0e73931cc74145f66951075847e6e990ea1ec32dd3
                                                                                                                              • Opcode Fuzzy Hash: e6244bb53d62b9827d2097a900e9ea0134b4e67a69c837c7211b87c66968b982
                                                                                                                              • Instruction Fuzzy Hash: 35612FB194421DAFEF24CF64CCC4BDAB7B9AB08300F0044FAE549B6282D6749E94DF55
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00484443 Relevance: 3.1, APIs: 2, Instructions: 113COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0048444A
                                                                                                                                • Part of subcall function 00461B2A: __EH_prolog3.LIBCMT ref: 00461B31
                                                                                                                                • Part of subcall function 004825AF: __EH_prolog3.LIBCMT ref: 004825B6
                                                                                                                              • _strlen.LIBCMT ref: 004844CE
                                                                                                                                • Part of subcall function 00403C07: _strnlen.LIBCMT ref: 00403C37
                                                                                                                                • Part of subcall function 00403C07: _memcpy_s.LIBCMT ref: 00403C6B
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                                • Part of subcall function 0044A6E6: __EH_prolog3.LIBCMT ref: 0044A6ED
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_memcpy_s$_strlen_strnlen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3956432433-0
                                                                                                                              • Opcode ID: 2a6e9c8a6c2f35bb26e462877923e92feef1b0dacecf4ba4a417432369dc280d
                                                                                                                              • Instruction ID: 3663a5e60db5b3be0c3d28bc635fcabb65245f9e12fbb19a086d4e65796cdba2
                                                                                                                              • Opcode Fuzzy Hash: 2a6e9c8a6c2f35bb26e462877923e92feef1b0dacecf4ba4a417432369dc280d
                                                                                                                              • Instruction Fuzzy Hash: 25417371D00205AFDB14EBA9CC829BFB7B8EF55334B55061EF161B72D2DA385D008BA9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005D77A8 Relevance: 3.1, APIs: 2, Instructions: 96COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 005D77AF
                                                                                                                                • Part of subcall function 005D6FDF: SetEvent.KERNEL32(?,005D77E1,00000008,005D790B,?,00000000,005D7DB0), ref: 005D6FE2
                                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,00000008,005D790B,?,00000000,005D7DB0), ref: 005D7859
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Event$CreateH_prolog3
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4200046576-0
                                                                                                                              • Opcode ID: eb9662040770b0ae103a3b2a949fc92bca1c798c017083df6be7ced9e22b9e16
                                                                                                                              • Instruction ID: 3f04adaf6d1f566f914da4d060858ce2c58529d2388c069fb698ef11150c0f4f
                                                                                                                              • Opcode Fuzzy Hash: eb9662040770b0ae103a3b2a949fc92bca1c798c017083df6be7ced9e22b9e16
                                                                                                                              • Instruction Fuzzy Hash: C131943190450BAFDB24EFB8C99997EBBB5FF48301B00862BA41597781EB30E951DB91
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004C6877 Relevance: 3.1, APIs: 2, Instructions: 70windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadMenuA.USER32(?,?), ref: 004C6897
                                                                                                                              • DestroyMenu.USER32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,0041042D,?,Setup Application), ref: 004C6912
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Menu$DestroyLoad
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 588275208-0
                                                                                                                              • Opcode ID: 0a5e2cf5542b02355b5516374b6d399ab414f2b15756e9a757885ce1624bb07c
                                                                                                                              • Instruction ID: 2cc6ca7f52f195958bdf57bedeb10de36ddf9c34aded3a0349cb1698e3ef9203
                                                                                                                              • Opcode Fuzzy Hash: 0a5e2cf5542b02355b5516374b6d399ab414f2b15756e9a757885ce1624bb07c
                                                                                                                              • Instruction Fuzzy Hash: 24214979600109EFCF01DF55C948DAA7BBAFF88350B22846AF84597221D735DE21DF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00404E52 Relevance: 3.1, APIs: 2, Instructions: 70COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 00404E7A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AttributesFile
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3188754299-0
                                                                                                                              • Opcode ID: b6dbd0e1bd343ddd81bc5c63ddd5315ba9a2b431d7f4237d61069310423c1954
                                                                                                                              • Instruction ID: 10466322e316144fae4e3b0826e3eda4152b836e30990e096f2836929df9b740
                                                                                                                              • Opcode Fuzzy Hash: b6dbd0e1bd343ddd81bc5c63ddd5315ba9a2b431d7f4237d61069310423c1954
                                                                                                                              • Instruction Fuzzy Hash: DA213BB5600205EFD7209F25D88095ABBB5FF88355B20883EF6499A690C735E980CBD4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00404EF6 Relevance: 3.1, APIs: 2, Instructions: 64fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 00404EFD
                                                                                                                              • DeleteFileA.KERNEL32(?,0000000C), ref: 00404FAA
                                                                                                                                • Part of subcall function 0040962D: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,00403CB6,?,?,?,?,?,?,00000000), ref: 0040964D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: File$DeleteH_prolog3_catchPointer
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3963598556-0
                                                                                                                              • Opcode ID: a9ddcca6dbf9c5edc2f42dfc23696fc8e075db968b7a8cf04f83ec110f14a5d3
                                                                                                                              • Instruction ID: 9709beac7b1e45319a93a47515ac78f7f2f47d48cd15239805dedf14955f40cd
                                                                                                                              • Opcode Fuzzy Hash: a9ddcca6dbf9c5edc2f42dfc23696fc8e075db968b7a8cf04f83ec110f14a5d3
                                                                                                                              • Instruction Fuzzy Hash: 5C11AFB1600606DFCB21DF65888195B7BA1FFC5704B24843EFB05A6281D639D890CB9A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004BCFA0 Relevance: 3.1, APIs: 2, Instructions: 58COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 004B87F6: GetWindowLongA.USER32(?,000000F0), ref: 004B8801
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 004BCFE3
                                                                                                                              • GetWindow.USER32(?,00000004), ref: 004BD000
                                                                                                                                • Part of subcall function 004B8974: IsWindowEnabled.USER32(?), ref: 004B897D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$EnabledLongRect
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3170195891-0
                                                                                                                              • Opcode ID: 57b31ca22d54c06492331068916c95bde77e0bf4c651ab53af9036eb318f0feb
                                                                                                                              • Instruction ID: 51950e6a6e8df0d008177dc4729bea961426fc9a1b35c00e95105864991f6082
                                                                                                                              • Opcode Fuzzy Hash: 57b31ca22d54c06492331068916c95bde77e0bf4c651ab53af9036eb318f0feb
                                                                                                                              • Instruction Fuzzy Hash: 72116030A002049BCF24EF6AC844AEFB7F9AF98754F50009BE401A7211EB78DD42CB69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00401144 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040118C
                                                                                                                              • GetLastError.KERNEL32(?,?,00000000), ref: 0040119A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorFileLastPointer
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2976181284-0
                                                                                                                              • Opcode ID: e71ff78fe9d1d678931d00fdb003892f89a636c29b92c59c42d52dd7430c14a9
                                                                                                                              • Instruction ID: 0e2aaf0c3e0af77ff8604a9acf290ee6c5f290eec8fbce575e00f235865a8dfe
                                                                                                                              • Opcode Fuzzy Hash: e71ff78fe9d1d678931d00fdb003892f89a636c29b92c59c42d52dd7430c14a9
                                                                                                                              • Instruction Fuzzy Hash: 2A01C471A10105BFCB18CF68D845EABB7F9EF4C710F24893BE612EB3A0D63499019B54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0040F8A9 Relevance: 3.1, APIs: 2, Instructions: 56COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DeleteH_prolog3Object
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2942389277-0
                                                                                                                              • Opcode ID: 706ebbc755093a5d9d8a18f64f7e8e886ba9319beb28ab5bbd1b3db866458dcb
                                                                                                                              • Instruction ID: e3de53362e35915b99009c0e59d36622c7380ccfe596ee9b6f8297171005c6bd
                                                                                                                              • Opcode Fuzzy Hash: 706ebbc755093a5d9d8a18f64f7e8e886ba9319beb28ab5bbd1b3db866458dcb
                                                                                                                              • Instruction Fuzzy Hash: F721D170401B00DECB35EB68C9553EEBBA1AF40308F64856ED056276C6DB7D2A09CB2A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0041D6A7 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0041D6AE
                                                                                                                                • Part of subcall function 00405AB7: __mbsinc.LIBCMT ref: 00405AF2
                                                                                                                              • _strlen.LIBCMT ref: 0041D6D9
                                                                                                                                • Part of subcall function 00403C07: _strnlen.LIBCMT ref: 00403C37
                                                                                                                                • Part of subcall function 00403C07: _memcpy_s.LIBCMT ref: 00403C6B
                                                                                                                                • Part of subcall function 00406EB6: __EH_prolog3.LIBCMT ref: 00406EBD
                                                                                                                                • Part of subcall function 00406EB6: _strlen.LIBCMT ref: 00406F7A
                                                                                                                                • Part of subcall function 00406EB6: IsWindow.USER32(?), ref: 00406FB7
                                                                                                                                • Part of subcall function 00406EB6: RedrawWindow.USER32(?,00000000,00000000,00000105,00000005), ref: 00407000
                                                                                                                                • Part of subcall function 0041D295: _memset.LIBCMT ref: 0041D328
                                                                                                                                • Part of subcall function 0041D295: MessageBoxA.USER32(00000000,?,026D82D8,00000010), ref: 0041D38E
                                                                                                                                • Part of subcall function 004053C5: IsWindow.USER32(?), ref: 004053D5
                                                                                                                                • Part of subcall function 00405435: _strnlen.LIBCMT ref: 0040544E
                                                                                                                                • Part of subcall function 0040F7D6: __EH_prolog3_catch_GS.LIBCMT ref: 0040F7E0
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$H_prolog3_strlen_strnlen$H_prolog3_catch_MessageRedraw__mbsinc_memcpy_s_memset
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2626163449-0
                                                                                                                              • Opcode ID: c12d348f4e870654fca48f28d7014525eb314eaa7539487b0cfde81e42b4b109
                                                                                                                              • Instruction ID: 3d2cb502150bf57fa9faceea8c7b04f658fa715f275df4c26581434b428963e9
                                                                                                                              • Opcode Fuzzy Hash: c12d348f4e870654fca48f28d7014525eb314eaa7539487b0cfde81e42b4b109
                                                                                                                              • Instruction Fuzzy Hash: 6F015B35500148ABDB08FF65C856BED3B25AF51328F00816EB8156B2D2DF78AA44CA99
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0040181F Relevance: 3.0, APIs: 2, Instructions: 44COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove_s
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 800865076-0
                                                                                                                              • Opcode ID: 96b1094e8ff69239307f6b243ab5d868c27e43372049561afe5f8bbafe7f33c0
                                                                                                                              • Instruction ID: f27183513869212a4da24ad4136747741623ac209ef4a67712c033fab610d61f
                                                                                                                              • Opcode Fuzzy Hash: 96b1094e8ff69239307f6b243ab5d868c27e43372049561afe5f8bbafe7f33c0
                                                                                                                              • Instruction Fuzzy Hash: 3F018B32500108ABCF11BF95C885DADB769EF44354B50812BFD057B2A1DB3A9D60DF59
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004C0694 Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetWindowTextLengthA.USER32(00000000), ref: 004C06B7
                                                                                                                              • GetWindowTextA.USER32(00000000,00000000,00000000), ref: 004C06CC
                                                                                                                                • Part of subcall function 00405435: _strnlen.LIBCMT ref: 0040544E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: TextWindow$Length_strnlen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1159536582-0
                                                                                                                              • Opcode ID: 076fd303d090c406907696a15ca8f38f2f6930f6e85743e471de7f63f5c2e697
                                                                                                                              • Instruction ID: 5c4937c2e2e014ec81a48cf3809eaa955872ad50b593ebb93feaca9ee9590088
                                                                                                                              • Opcode Fuzzy Hash: 076fd303d090c406907696a15ca8f38f2f6930f6e85743e471de7f63f5c2e697
                                                                                                                              • Instruction Fuzzy Hash: 62F09036104248EBCB01AF96DC18EBF37A9EBC9320B04401FF92587290CA389451CB65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0040588A Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memcpy_s
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2001391462-0
                                                                                                                              • Opcode ID: bf3270726b1e6cdd97388ec0c93b56f6992d1f98cd07fd050026713c04a19370
                                                                                                                              • Instruction ID: e10f8e0dd46059571d7913495a7d2d67f72b569096e9015733705064427d2858
                                                                                                                              • Opcode Fuzzy Hash: bf3270726b1e6cdd97388ec0c93b56f6992d1f98cd07fd050026713c04a19370
                                                                                                                              • Instruction Fuzzy Hash: 69F012715012597BCF10AF56DC89CEF7F6CEE85754704041AFD1957212D634F960CBA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004BE3EF Relevance: 3.0, APIs: 2, Instructions: 32threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 004D303F: __EH_prolog3.LIBCMT ref: 004D3046
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 004BE41E
                                                                                                                              • SetWindowsHookExA.USER32(00000005,004BE1A8,00000000,00000000), ref: 004BE42E
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$CurrentException@8HookThreadThrowWindows
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1415497866-0
                                                                                                                              • Opcode ID: 7ea2ca7ad50fe30f72e350f3ae467c7ca8a0107d4785d3a0b0e26a16f7bebcb8
                                                                                                                              • Instruction ID: 5780401fc2edf1c90f2b31025af2906d046a794e948bb3c981230ab5b122f8ef
                                                                                                                              • Opcode Fuzzy Hash: 7ea2ca7ad50fe30f72e350f3ae467c7ca8a0107d4785d3a0b0e26a16f7bebcb8
                                                                                                                              • Instruction Fuzzy Hash: E1F0E23124071067CB302B979806BD77AB9DBC0F6AF16052BE60546641CA78A84086BF
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004C1D43 Relevance: 3.0, APIs: 2, Instructions: 32fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000,7FFFFFFF,80000000,?,004045D4,?,00000000,?,00008000,?,00009011,00000000), ref: 004C1D60
                                                                                                                              • GetLastError.KERNEL32(?,?,004045D4,?,00000000,?,00008000,?,00009011,00000000), ref: 004C1D6D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorFileLastWrite
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 442123175-0
                                                                                                                              • Opcode ID: e6761d8dcf3d84b2c9de5956123e1aac6d773a16725031e72b32f39b8c96ff8f
                                                                                                                              • Instruction ID: bba89665e96726043d0c1c17ca459907c87cbe3a3f05df843f4ecd94134bdc27
                                                                                                                              • Opcode Fuzzy Hash: e6761d8dcf3d84b2c9de5956123e1aac6d773a16725031e72b32f39b8c96ff8f
                                                                                                                              • Instruction Fuzzy Hash: 3EF0A73A1006047BCB605F56DC04F57BB6DEF85731F10821FF92E95660DA35E800DBA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004B8882 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • IsWindow.USER32(?), ref: 004B8896
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              • SetWindowTextA.USER32(?,?), ref: 004B88BE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Exception@8H_prolog3TextThrow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3347280681-0
                                                                                                                              • Opcode ID: 2adde007ad8db28b4545fceeac66a921ebe40eb5de8707ca7c98ba86bc1df595
                                                                                                                              • Instruction ID: b5b46e4a1b6d179fca3762e1ded8144ada2f057a2d06b49014b07af564602dbf
                                                                                                                              • Opcode Fuzzy Hash: 2adde007ad8db28b4545fceeac66a921ebe40eb5de8707ca7c98ba86bc1df595
                                                                                                                              • Instruction Fuzzy Hash: AFF08C32100605DFCB306B55D808A97BBA9FB54361F44443FE58582A20DB359840CBA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004C1FA7 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FindCloseChangeNotification.KERNEL32(?,?,00008DD8,004038C7,EDB88320,?,00008020,00000000,00000024), ref: 004C1FB8
                                                                                                                              • GetLastError.KERNEL32(?,?,00008DD8,004038C7,EDB88320,?,00008020,00000000,00000024), ref: 004C1FDC
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ChangeCloseErrorFindLastNotification
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1687624791-0
                                                                                                                              • Opcode ID: 059c31a56d95eb913fe4fb4bbcd500cde0c0e45f3636628489fcb700f6683d50
                                                                                                                              • Instruction ID: a43b792bec2f9e45bfe62cee496a7570d5e44b3cba210efd4c3b665b0893fab3
                                                                                                                              • Opcode Fuzzy Hash: 059c31a56d95eb913fe4fb4bbcd500cde0c0e45f3636628489fcb700f6683d50
                                                                                                                              • Instruction Fuzzy Hash: BFE06D360046105BC7209A39EC48E6777E9AFC57357258B1EF57AC75F08F3498068614
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004BABDD Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ActivateActCtx.KERNEL32(?,?,0072C050,00000010,004D5360,?,?,00000000,?,Button), ref: 004BABFD
                                                                                                                              • GetClassInfoA.USER32(?,?,?), ref: 004BAC1A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ActivateClassInfo
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1231007168-0
                                                                                                                              • Opcode ID: 77d7a105247b624b27cf17d56ef42589795aba53838bccdeb988b3c7aef9f8b5
                                                                                                                              • Instruction ID: 93bc917edbfcb538415c6bcd59c112f5191d159347ea46cae13ffd3b71495c16
                                                                                                                              • Opcode Fuzzy Hash: 77d7a105247b624b27cf17d56ef42589795aba53838bccdeb988b3c7aef9f8b5
                                                                                                                              • Instruction Fuzzy Hash: 80F05870800219EBCF21AFA4DD09AEDBEB4BF08710F50806AF514A2161C7388A21DFA9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004C1D01 Relevance: 3.0, APIs: 2, Instructions: 26fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ReadFile.KERNEL32(?,?,00000000,00000000,00000000,00008DD8,?,004038BB,00000000,00008DD8,EDB88320,?,00008020,00000000,00000024), ref: 004C1D22
                                                                                                                              • GetLastError.KERNEL32(?,?,004038BB,00000000,00008DD8,EDB88320,?,00008020,00000000,00000024), ref: 004C1D2F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorFileLastRead
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1948546556-0
                                                                                                                              • Opcode ID: 18302fceabd99679a17bae29bcaff061beada81ef654700ac36232b7d24a2d63
                                                                                                                              • Instruction ID: fd2bbd7cfda3389531d2f27ff3c117c5a8d308a07c58243a45473a648bd7f24b
                                                                                                                              • Opcode Fuzzy Hash: 18302fceabd99679a17bae29bcaff061beada81ef654700ac36232b7d24a2d63
                                                                                                                              • Instruction Fuzzy Hash: 0BE0923A100208BBCF509F50DC04F9677ADEB18320F50C82AFA2AC6421D738E910DB94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004BAEB1 Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ActivateActCtx.KERNEL32(?,00000000,0072C0F0,00000010,0050A8A2,UxTheme.dll,751F6910,?,0050A963,00000004,004E9366,00000000,00000004,0051D8CE), ref: 004BAED1
                                                                                                                              • LoadLibraryW.KERNEL32(00000020,?,0050A963,00000004,004E9366,00000000,00000004,0051D8CE,?,?,006B8DE4), ref: 004BAEE8
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ActivateLibraryLoad
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 389599620-0
                                                                                                                              • Opcode ID: a9e812d374c1d48b38ac055401c7988ba03ed6a33c3c6b4a47f94ebeb48c11ff
                                                                                                                              • Instruction ID: cfe34e711cd43dd5e217eb46453094d7ca14ef23f7d9b5981eb0129c798481fb
                                                                                                                              • Opcode Fuzzy Hash: a9e812d374c1d48b38ac055401c7988ba03ed6a33c3c6b4a47f94ebeb48c11ff
                                                                                                                              • Instruction Fuzzy Hash: 6AF01CB0C14219ABCF61AFA4DC09AEDBEB8BF08B10F108556F115A2151C6785A51DBA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0040F67A Relevance: 3.0, APIs: 2, Instructions: 20windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0042CA05: __EH_prolog3.LIBCMT ref: 0042CA0C
                                                                                                                              • IsWindow.USER32(?), ref: 0040F696
                                                                                                                              • SendMessageA.USER32(?,00000010), ref: 0040F6A7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3MessageSendWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3000044278-0
                                                                                                                              • Opcode ID: 7595935588cfea26c5f06aa20456d9b8895b6bb68a2a4329c49106542488ffe3
                                                                                                                              • Instruction ID: 03369c3d16597eb84a1caa73f82033c6e61af4135baf6c86965da822f5626120
                                                                                                                              • Opcode Fuzzy Hash: 7595935588cfea26c5f06aa20456d9b8895b6bb68a2a4329c49106542488ffe3
                                                                                                                              • Instruction Fuzzy Hash: 63E012305156009BDB349F31DC09A5ABA79FB55354B404A3BA082918B0FB395956DE1C
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004BBBF7 Relevance: 3.0, APIs: 2, Instructions: 19libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(?,?,004C811C,GetSaveFileNameA,?,?,004C8174,?,?,004C8CB6,?,?), ref: 004BBC05
                                                                                                                              • LoadLibraryA.KERNEL32(?,?,004C811C,GetSaveFileNameA,?,?,004C8174,?,?,004C8CB6,?,?), ref: 004BBC15
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleLibraryLoadModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4133054770-0
                                                                                                                              • Opcode ID: 07f7d6879b2a58102f4be396a89d8d8712eab542e092b3d5ce5f6796f8dcb6f3
                                                                                                                              • Instruction ID: 5e6668458fcd90784bfeccb0b20360c76bfb35b5799bf70c213c30286e767599
                                                                                                                              • Opcode Fuzzy Hash: 07f7d6879b2a58102f4be396a89d8d8712eab542e092b3d5ce5f6796f8dcb6f3
                                                                                                                              • Instruction Fuzzy Hash: BAE0B671515B11DFCB318F35E944A93BBE9EF54720B15C82EE4AAC2A20DB75E840DB50
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005C7155 Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __lock.LIBCMT ref: 005C716D
                                                                                                                                • Part of subcall function 005C43D8: __mtinitlocknum.LIBCMT ref: 005C43EE
                                                                                                                                • Part of subcall function 005C43D8: __amsg_exit.LIBCMT ref: 005C43FA
                                                                                                                                • Part of subcall function 005C43D8: RtlEnterCriticalSection.NTDLL(?), ref: 005C4402
                                                                                                                              • __tzset_nolock.LIBCMT ref: 005C717E
                                                                                                                                • Part of subcall function 005C6A74: __lock.LIBCMT ref: 005C6A96
                                                                                                                                • Part of subcall function 005C6A74: ____lc_codepage_func.LIBCMT ref: 005C6ADD
                                                                                                                                • Part of subcall function 005C6A74: __getenv_helper_nolock.LIBCMT ref: 005C6AFF
                                                                                                                                • Part of subcall function 005C6A74: _free.LIBCMT ref: 005C6B36
                                                                                                                                • Part of subcall function 005C6A74: _strlen.LIBCMT ref: 005C6B3D
                                                                                                                                • Part of subcall function 005C6A74: __malloc_crt.LIBCMT ref: 005C6B44
                                                                                                                                • Part of subcall function 005C6A74: _strlen.LIBCMT ref: 005C6B5A
                                                                                                                                • Part of subcall function 005C6A74: _strcpy_s.LIBCMT ref: 005C6B68
                                                                                                                                • Part of subcall function 005C6A74: __invoke_watson.LIBCMT ref: 005C6B7D
                                                                                                                                • Part of subcall function 005C6A74: _free.LIBCMT ref: 005C6B8C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1828324828-0
                                                                                                                              • Opcode ID: ff786fe9bfa2bf07301908f0dc04e50a6070698d31f686b2c370f685a4b4868f
                                                                                                                              • Instruction ID: 11e3c72a1d31639d79664520584639fe690179cdb0575dad52ce0903828aca3c
                                                                                                                              • Opcode Fuzzy Hash: ff786fe9bfa2bf07301908f0dc04e50a6070698d31f686b2c370f685a4b4868f
                                                                                                                              • Instruction Fuzzy Hash: 5EE08C70495B569EC6256BE0691AF8CBD24BB88B23F248129B040294C2CAB81681CAE6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005B600F Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ___crtCorExitProcess.LIBCMT ref: 005B6017
                                                                                                                                • Part of subcall function 005B5FE4: GetModuleHandleW.KERNEL32(mscoree.dll,?,005B601C,?,?,005B4BB2,000000FF,0000001E,00000001,00000000,00000000,?,005C4E2D,?,00000001,?), ref: 005B5FEE
                                                                                                                                • Part of subcall function 005B5FE4: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005B5FFE
                                                                                                                              • ExitProcess.KERNEL32 ref: 005B6020
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2427264223-0
                                                                                                                              • Opcode ID: eb5ddc89799c9acec53768ca0820a2e9a94691fcade5ddb4911107f1734abd1a
                                                                                                                              • Instruction ID: 30af643087ab2adc2d35e2618f40d49e364d81bcbec9b2c30b68a258173e47b9
                                                                                                                              • Opcode Fuzzy Hash: eb5ddc89799c9acec53768ca0820a2e9a94691fcade5ddb4911107f1734abd1a
                                                                                                                              • Instruction Fuzzy Hash: FEB09231008108BBCF053F52DC0EC997F2AFB803A1B18606AFC0809071EF72AD92EA80
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004392B1 Relevance: 2.0, APIs: 1, Instructions: 525COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 431132790-0
                                                                                                                              • Opcode ID: b54ee6c07d3b9ad21387d1238cfcfde01e7e7b4555c61abd5c7f95925b75f0b8
                                                                                                                              • Instruction ID: 34cfd3ddcf7c302560ad8dc5e815c8d582334ae0fa4df6f7174739a4f93885d4
                                                                                                                              • Opcode Fuzzy Hash: b54ee6c07d3b9ad21387d1238cfcfde01e7e7b4555c61abd5c7f95925b75f0b8
                                                                                                                              • Instruction Fuzzy Hash: FD024F71200A046FC656E76688A1FBE77EF6F8D304F08081EF19BD2192DF2DA5469B25
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004C2494 Relevance: 1.6, APIs: 1, Instructions: 146fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 004C2293: __EH_prolog3_GS.LIBCMT ref: 004C229D
                                                                                                                                • Part of subcall function 004C2293: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,00000158,004C2516,?,00000000,?,?,00008DD8,00000000), ref: 004C22DB
                                                                                                                                • Part of subcall function 004C2293: __cftof.LIBCMT ref: 004C22EF
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000000,0000000C,00000003,00000080,00000000,?,?,00000000,?,?,00008DD8,00000000), ref: 004C2631
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFileFullH_prolog3_NamePath__cftof_strlen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3007231952-0
                                                                                                                              • Opcode ID: f41c2b953a5b2a5d399d489937771e1a2f79567923e31cd65ff6f88e3fb6b36c
                                                                                                                              • Instruction ID: ff9cb5e6a695ad4d079df55aad441010118bf4e6c243a329ae6933dbcf602d0e
                                                                                                                              • Opcode Fuzzy Hash: f41c2b953a5b2a5d399d489937771e1a2f79567923e31cd65ff6f88e3fb6b36c
                                                                                                                              • Instruction Fuzzy Hash: D351E279600209ABEB65CB15CE52FEBB7A4EB44304F10469FE156D2290D7FC9AC1CF58
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0041936F Relevance: 1.6, APIs: 1, Instructions: 127COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 431132790-0
                                                                                                                              • Opcode ID: 91074d5cbc61c23ce122bd56be1a14e547e5e16098cf9f53adf33df1a250c558
                                                                                                                              • Instruction ID: b6eee3dec6818e159f9845e6a404ee987187129b1927a62353b5342264f8e3f4
                                                                                                                              • Opcode Fuzzy Hash: 91074d5cbc61c23ce122bd56be1a14e547e5e16098cf9f53adf33df1a250c558
                                                                                                                              • Instruction Fuzzy Hash: 22519E30600744CBCB28EFF5C5A57EEB7A1AF65304F1049AED0ABA7282CF786944C719
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00419E06 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00419E0D
                                                                                                                                • Part of subcall function 00410A95: __EH_prolog3.LIBCMT ref: 00410A9C
                                                                                                                                • Part of subcall function 0043F48F: __EH_prolog3.LIBCMT ref: 0043F496
                                                                                                                                • Part of subcall function 0043F5B2: __EH_prolog3.LIBCMT ref: 0043F5B9
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 431132790-0
                                                                                                                              • Opcode ID: ce18bebf4519b9a2f455ce5f8d78bec6a95f9a0cbefa2adb54ec09467f166b3c
                                                                                                                              • Instruction ID: 47e46f9915befb007c79a4bf2bee00be7471ee70f50fcf2a21a9439a16f8553d
                                                                                                                              • Opcode Fuzzy Hash: ce18bebf4519b9a2f455ce5f8d78bec6a95f9a0cbefa2adb54ec09467f166b3c
                                                                                                                              • Instruction Fuzzy Hash: BE517134800684EDD716F7B5C956BDEBBA81F21308F80449EA09BA71D3DE786608D77E
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004B5F92 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004B5F99
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$Exception@8Throw
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2489616738-0
                                                                                                                              • Opcode ID: 744b44ba779d7d81834d278857956b34d24a7b0d765aa13c3240b71712506d9b
                                                                                                                              • Instruction ID: 09910c88cec7e345d8f6d56538c75f10c720b5706539e86f403e1ac97648194b
                                                                                                                              • Opcode Fuzzy Hash: 744b44ba779d7d81834d278857956b34d24a7b0d765aa13c3240b71712506d9b
                                                                                                                              • Instruction Fuzzy Hash: 76415FB1500B018FD728DF6AC49166ABBF5FF58304B004A2EE09B87B91D738B905CB54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004D2A03 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memset
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2102423945-0
                                                                                                                              • Opcode ID: fd39d0818b8892fd6da4b0b0c4f91ae7244d35f2ec04f83597fca4d127a3c411
                                                                                                                              • Instruction ID: 3783f46d9874d75426d8784619e32ef5638b64024784f4afb11b78df1a36e4f5
                                                                                                                              • Opcode Fuzzy Hash: fd39d0818b8892fd6da4b0b0c4f91ae7244d35f2ec04f83597fca4d127a3c411
                                                                                                                              • Instruction Fuzzy Hash: EC2126322006196BC330EE9EC991D9B7799EFD1368710862FF9288B341DA75FD05C794
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004019D8 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3_
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2427045233-0
                                                                                                                              • Opcode ID: 82e6ed7f663d2e58a0b1be4280b06baa61df1b5eece5cec47f81aa6b51787291
                                                                                                                              • Instruction ID: 1ddb9baa0d3e5b840bbef5945d981b50a40a0aa87d8214c813f6981836646acc
                                                                                                                              • Opcode Fuzzy Hash: 82e6ed7f663d2e58a0b1be4280b06baa61df1b5eece5cec47f81aa6b51787291
                                                                                                                              • Instruction Fuzzy Hash: 2F315C7090112C9BDB28EB65CC52BEDB775AF45308F4041EEA109B31E2DB386E85CF65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00445F5E Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00445F65
                                                                                                                                • Part of subcall function 004458D4: __EH_prolog3.LIBCMT ref: 004458DB
                                                                                                                                • Part of subcall function 004458D4: RegQueryValueExA.KERNEL32(?,00000000,00000000,?,00000000,?,00000000,NoName,0000000C,00446312,00000000,?,00000000,00000006,00000000,?), ref: 00445994
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$QueryValue_strlen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2713988897-0
                                                                                                                              • Opcode ID: 4ecb9f7cb707de0302e7b2ec67c22333ad6b5aefab3a62529ef2570931bc5c24
                                                                                                                              • Instruction ID: 0a384c2bad536400c754a2f014aff6f5f7d79f9a97a8a6906887eae54cd8aed0
                                                                                                                              • Opcode Fuzzy Hash: 4ecb9f7cb707de0302e7b2ec67c22333ad6b5aefab3a62529ef2570931bc5c24
                                                                                                                              • Instruction Fuzzy Hash: 5F314A7290021ACFDF14DFE4C8815BFBBB5BF44304F14412FE511A6292CB385A55CBAA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004BD041 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_catch_GS.LIBCMT ref: 004BD048
                                                                                                                                • Part of subcall function 004D303F: __EH_prolog3.LIBCMT ref: 004D3046
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$Exception@8H_prolog3_catch_Throw
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2285297229-0
                                                                                                                              • Opcode ID: a9c04a5b041187d37d91877f52007bf96dba8ca561945c74f4beca3ce84421f6
                                                                                                                              • Instruction ID: 35d602cffc451bb9ce51de340e279898be0ece3b500f6aa5275223d5c43514cb
                                                                                                                              • Opcode Fuzzy Hash: a9c04a5b041187d37d91877f52007bf96dba8ca561945c74f4beca3ce84421f6
                                                                                                                              • Instruction Fuzzy Hash: 6031F871E00209DFCF04DFA9C8819DEBBB6BF88314F11446AE905AB251D774A941CBA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00466DF8 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00466DFF
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0045974C: __EH_prolog3.LIBCMT ref: 00459753
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                                • Part of subcall function 0044CBB0: __EH_prolog3_GS.LIBCMT ref: 0044CBBA
                                                                                                                                • Part of subcall function 0044CBB0: _strlen.LIBCMT ref: 0044CBF9
                                                                                                                                • Part of subcall function 0044CBB0: _memset.LIBCMT ref: 0044CC23
                                                                                                                                • Part of subcall function 0044CBB0: SetCurrentDirectoryA.KERNEL32(?), ref: 0044CC8D
                                                                                                                                • Part of subcall function 0044CBB0: CreateDirectoryA.KERNEL32(?,00000000), ref: 0044CC9F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$Directorylua_remove.$CreateCurrentH_prolog3__memcpy_s_memset_strlenlua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushstring.lua_tolstring.lua_type.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2899551767-0
                                                                                                                              • Opcode ID: 72af5e0a08816f0170062f9f09a885833ef6b2a960a2ebe063d85ec001510ee5
                                                                                                                              • Instruction ID: 1e8488d5594155b11a25db18a69d6b6ff1ec418ed2b32236f21ab301b3b40ea5
                                                                                                                              • Opcode Fuzzy Hash: 72af5e0a08816f0170062f9f09a885833ef6b2a960a2ebe063d85ec001510ee5
                                                                                                                              • Instruction Fuzzy Hash: 7F2151728002059BDB04EBA5C847BBE7774AF11328F28055EF550772D2DA7C5A4487A9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0048BD00 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0048BD07
                                                                                                                                • Part of subcall function 004B7F10: DeleteObject.GDI32(00000000), ref: 004B7F1F
                                                                                                                                • Part of subcall function 004025A1: __EH_prolog3_catch_GS.LIBCMT ref: 004025AB
                                                                                                                                • Part of subcall function 00489B68: __EH_prolog3.LIBCMT ref: 00489B6F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$DeleteH_prolog3_catch_Object
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3005623789-0
                                                                                                                              • Opcode ID: 666a8d487d370905c94483db3d1d733d4f7bcdd364d7cbb9819042d27e0edc82
                                                                                                                              • Instruction ID: 00c3991bfe3d78ba08a411d1603922248540fea42ed9a35973da0ea0aefe6159
                                                                                                                              • Opcode Fuzzy Hash: 666a8d487d370905c94483db3d1d733d4f7bcdd364d7cbb9819042d27e0edc82
                                                                                                                              • Instruction Fuzzy Hash: 48214D34405B84DED725FBB5C1667EDBBA0AF25308F54888DD49A132C2DF782709D72A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00449FCA Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00449FD1
                                                                                                                                • Part of subcall function 00405B76: __EH_prolog3.LIBCMT ref: 00405B7D
                                                                                                                                • Part of subcall function 00449EEE: __time64.LIBCMT ref: 00449F08
                                                                                                                                • Part of subcall function 00449EEE: FileTimeToLocalFileTime.KERNEL32(00000001,?,?), ref: 00449F18
                                                                                                                                • Part of subcall function 00449EEE: FileTimeToSystemTime.KERNEL32(?,?), ref: 00449F2E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Time$File$H_prolog3$LocalSystem__time64
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1704945122-0
                                                                                                                              • Opcode ID: 6c3cafa34ab455583b4a186e846650d15654d0f72975b27b90bc4934b2b588d1
                                                                                                                              • Instruction ID: 8edd6162f4f81386a2219fc17730774e422d45b40ca8196191fbfbed2052983f
                                                                                                                              • Opcode Fuzzy Hash: 6c3cafa34ab455583b4a186e846650d15654d0f72975b27b90bc4934b2b588d1
                                                                                                                              • Instruction Fuzzy Hash: A8113372400609ABC714EFA5C881ADBB7F8FF18314B14862EF556D7681EB38F654CBA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00401437 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memcpy_s
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2001391462-0
                                                                                                                              • Opcode ID: 9dddd9812740acf6309119ac11461552adba8f76e61a688046cda27d89329e2e
                                                                                                                              • Instruction ID: d8fd880ea3f8ec5dadecaff8660c66f2118ea668a4eecb3c5a83ed41aefea348
                                                                                                                              • Opcode Fuzzy Hash: 9dddd9812740acf6309119ac11461552adba8f76e61a688046cda27d89329e2e
                                                                                                                              • Instruction Fuzzy Hash: 9A015AB5600204AFD700DFA8C885CAABBA8FF49358B1045AEF955E7361DB75ED00CA64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00420009 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • IsWindow.USER32(?), ref: 0042001A
                                                                                                                                • Part of subcall function 004B894D: ShowWindow.USER32(?,?,?,004B6C70,00000000,0000E146,00000000,?,?,00402098,0000002C,0000000A), ref: 004B895E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Show
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 990937876-0
                                                                                                                              • Opcode ID: d80afbce797d1d91d63c43501ce3f6093879a1fdbe9a40adc6a26084fa7dc238
                                                                                                                              • Instruction ID: 0059cb2f85582c594cbf677edbae5ecea8e0ecd1c3bee1c144135006f980bc30
                                                                                                                              • Opcode Fuzzy Hash: d80afbce797d1d91d63c43501ce3f6093879a1fdbe9a40adc6a26084fa7dc238
                                                                                                                              • Instruction Fuzzy Hash: 420188353006108FE721AB28E844B7A33E6BF80715F48405EE49A8B362CF29EC01CB99
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004D303F Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004D3046
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$Exception@8Throw
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2489616738-0
                                                                                                                              • Opcode ID: 88b59579be12c39c5554ba635bc1fa668eae106899fd88567c371986c63ec5ce
                                                                                                                              • Instruction ID: 9b10b40ea2fdd3bb14725b35e422f5a388c3696fdd90f1f3fb94d67d1dc2e190
                                                                                                                              • Opcode Fuzzy Hash: 88b59579be12c39c5554ba635bc1fa668eae106899fd88567c371986c63ec5ce
                                                                                                                              • Instruction Fuzzy Hash: 3901B5301002068BCB29FF35C8263AE3AA2AB51356F24842FE54187390DFBCCD00C759
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004010EA Relevance: 1.5, APIs: 1, Instructions: 41fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • WriteFile.KERNEL32(?,?,00400000,00000000,00000000), ref: 00401119
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FileWrite
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3934441357-0
                                                                                                                              • Opcode ID: 737286a37961cd1bf920fb7793b9182856de261f3294f5bd5c4be44f4ad453c9
                                                                                                                              • Instruction ID: fd0ce55e1d8b475e94c382aa1f117de81b36cac8a70a1f4a7569a9fe7c6bb526
                                                                                                                              • Opcode Fuzzy Hash: 737286a37961cd1bf920fb7793b9182856de261f3294f5bd5c4be44f4ad453c9
                                                                                                                              • Instruction Fuzzy Hash: E7F04F362142459BDB188E59DC007AB73AAFF84771F04443FFD9497690DB74DC108B94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00401090 Relevance: 1.5, APIs: 1, Instructions: 41fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ReadFile.KERNEL32(?,?,00400000,00000000,00000000), ref: 004010BF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FileRead
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2738559852-0
                                                                                                                              • Opcode ID: d16d3f1bc7910b5c5ebed88e9fc9793a28bda42857519fe0fb2439fef4123a45
                                                                                                                              • Instruction ID: e1bf84e88daaaf2509aabbbb5d847b9b5f02ed78212a20b108d70aa10a2bcbc7
                                                                                                                              • Opcode Fuzzy Hash: d16d3f1bc7910b5c5ebed88e9fc9793a28bda42857519fe0fb2439fef4123a45
                                                                                                                              • Instruction Fuzzy Hash: 54F04F36210245ABEB148E59DC007AB73A9FF84371F05443FFD9497790D779D8908B94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004BC0D3 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DestroyWindow.USER32(?,?,00000000,?,?,004BF875,00000004,00401D99), ref: 004BC11B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DestroyWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3375834691-0
                                                                                                                              • Opcode ID: 12dcc94864c201e898f2ebc25172f21333b9b77f9d783bd0891a24de6e76c733
                                                                                                                              • Instruction ID: 568c9728df4464269c6de650153aa71730d2cf4722e92b3938b34ea842d2de8b
                                                                                                                              • Opcode Fuzzy Hash: 12dcc94864c201e898f2ebc25172f21333b9b77f9d783bd0891a24de6e76c733
                                                                                                                              • Instruction Fuzzy Hash: 15F03135600A00CF4B32AA69D8C08A773E6EBC4351325491FE0C6D6712EA28DC42CF29
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00401614 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memcpy_s
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2001391462-0
                                                                                                                              • Opcode ID: 39e4f229af4e30c8d53802847369c1d014af499fde2e25785608ad57cc278073
                                                                                                                              • Instruction ID: 393fc8767cacaa3764580e8698a10bd688945135bb74fefa78c0aeaad2ec02b5
                                                                                                                              • Opcode Fuzzy Hash: 39e4f229af4e30c8d53802847369c1d014af499fde2e25785608ad57cc278073
                                                                                                                              • Instruction Fuzzy Hash: 73F09632200140A7DB206E598C05E6F77A9DF91B54F14443FFA54F62A1D67798109AAD
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0043F48F Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0043F496
                                                                                                                                • Part of subcall function 0043F3CE: __EH_prolog3.LIBCMT ref: 0043F3D5
                                                                                                                                • Part of subcall function 0043F3CE: __time64.LIBCMT ref: 0043F3EE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$__time64
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1961665919-0
                                                                                                                              • Opcode ID: 6ce4192f22f41713f400a727332b2a39af6f3e942b352b10085a309da6721ed9
                                                                                                                              • Instruction ID: e42b9f65b37361f6490ca16654b7a180aad3da059e86116934e769f3e4921e38
                                                                                                                              • Opcode Fuzzy Hash: 6ce4192f22f41713f400a727332b2a39af6f3e942b352b10085a309da6721ed9
                                                                                                                              • Instruction Fuzzy Hash: 76018471C00A40AED716FFA5C8467DEB7E86F50318F80455EB047E6192DEB8AA09CB6D
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044A6E6 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0044A6ED
                                                                                                                                • Part of subcall function 00485930: __EH_prolog3.LIBCMT ref: 00485937
                                                                                                                                • Part of subcall function 00485930: __time64.LIBCMT ref: 0048598D
                                                                                                                                • Part of subcall function 00485930: __time64.LIBCMT ref: 00485993
                                                                                                                                • Part of subcall function 00485930: __time64.LIBCMT ref: 00485999
                                                                                                                                • Part of subcall function 0044A06A: __EH_prolog3_GS.LIBCMT ref: 0044A074
                                                                                                                                • Part of subcall function 0044A06A: FindFirstFileA.KERNEL32(?,?,00000148,0041F1AF,?,?,?,?,00000104,?,00000000), ref: 0044A089
                                                                                                                                • Part of subcall function 0044A06A: FindClose.KERNEL32(00000000,?,?,00000001,?,?,?,?,?,?,00000104,?,00000000), ref: 0044A0C6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __time64$FindH_prolog3$CloseFileFirstH_prolog3_
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4146640304-0
                                                                                                                              • Opcode ID: a1bcbbc4a30aaf6df79075bd7ed9f8308d213629a28d2355651a8634fd2ae646
                                                                                                                              • Instruction ID: 81549d7dddf35ac21028f3018a2ad4e8f29330a37daaa7d160e8f0fcd0ae93de
                                                                                                                              • Opcode Fuzzy Hash: a1bcbbc4a30aaf6df79075bd7ed9f8308d213629a28d2355651a8634fd2ae646
                                                                                                                              • Instruction Fuzzy Hash: F5F08C31910119ABDB18EFE8C806BDCBB60BF24328F54860DF415AB3D6CB789A05CB95
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005D70BD Relevance: 1.5, APIs: 1, Instructions: 30threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ResumeThread.KERNEL32(?,?,00766C98,005D78B3,?,?,?,?,00000008,005D790B,?,00000000,005D7DB0), ref: 005D70DF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ResumeThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 947044025-0
                                                                                                                              • Opcode ID: 1c1b6921be856c63e3ae9c46fd72be89775b898bcd9533865af811849bae6022
                                                                                                                              • Instruction ID: 86c7be887ec7c1b31b44e063d5f279947f38e8f4a93e5cf6394cf27351513c2a
                                                                                                                              • Opcode Fuzzy Hash: 1c1b6921be856c63e3ae9c46fd72be89775b898bcd9533865af811849bae6022
                                                                                                                              • Instruction Fuzzy Hash: CBF0A0351086044E8B38CE1DD8588A6BB96AF89320315861FD97B87BE1DE60BC82CF00
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004C47D6 Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PostMessageA.USER32(?,00000362,0000E001,00000000), ref: 004C4810
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePost
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 410705778-0
                                                                                                                              • Opcode ID: a8569bb7c6968e71bb9b6fee31d299d4f2f0d38daeaf7b9fb219c4803eecf9a7
                                                                                                                              • Instruction ID: 8cd3648e401eff5dfaffd811c479b16f5d50dda1588a98380e5f254167e490bc
                                                                                                                              • Opcode Fuzzy Hash: a8569bb7c6968e71bb9b6fee31d299d4f2f0d38daeaf7b9fb219c4803eecf9a7
                                                                                                                              • Instruction Fuzzy Hash: 35F0A7342105006BCB201F358C05FA977D5EF45730F11072BF955962E0CBB5D9409654
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004BB6FD Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3_catch
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3886170330-0
                                                                                                                              • Opcode ID: cb61f555d0003d5a84a893c439963661690f428a1aa8cf7adfe6cbb7ed9b99e4
                                                                                                                              • Instruction ID: f57176400a2e8db19faa0f26fc1d71298f8b8d1649e094a28a4b65491ccb419c
                                                                                                                              • Opcode Fuzzy Hash: cb61f555d0003d5a84a893c439963661690f428a1aa8cf7adfe6cbb7ed9b99e4
                                                                                                                              • Instruction Fuzzy Hash: C801A4B4900209CFDB08DF99C085AEDBBF1BF98300F10806EE809AB351DA706941CF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0043B4CE Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 431132790-0
                                                                                                                              • Opcode ID: 21b44d4ef5729340bbcdf14e1cfc1f86120f2ff158bc182162681a283508a673
                                                                                                                              • Instruction ID: c377a5cafc5b397f9798f995e224054fdece02fea5b6d3a1c83eb9c6d8866aec
                                                                                                                              • Opcode Fuzzy Hash: 21b44d4ef5729340bbcdf14e1cfc1f86120f2ff158bc182162681a283508a673
                                                                                                                              • Instruction Fuzzy Hash: F8F090745017018BDB64EFA4C64675EBBE1BF18304F90659DE542976D2DB78FA00CB48
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0040962D Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,00403CB6,?,?,?,?,?,?,00000000), ref: 0040964D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FilePointer
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 973152223-0
                                                                                                                              • Opcode ID: 4f16980afffdedc01ac7431d0324489a5f8f0009f096265cab29818fe86be34f
                                                                                                                              • Instruction ID: 3caaf326fbabbe74bf1658b1ca7b05505cab82d0c084d78479f47485b56d7096
                                                                                                                              • Opcode Fuzzy Hash: 4f16980afffdedc01ac7431d0324489a5f8f0009f096265cab29818fe86be34f
                                                                                                                              • Instruction Fuzzy Hash: 6CE0E5B1900214BFDB04DB55DC45EEEB7BDEF88714F108169F514E7290E275AE418694
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00405B1F Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00405B26
                                                                                                                                • Part of subcall function 0040588A: _memcpy_s.LIBCMT ref: 004058AB
                                                                                                                                • Part of subcall function 0040588A: _memcpy_s.LIBCMT ref: 004058BB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memcpy_s$H_prolog3
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1888667434-0
                                                                                                                              • Opcode ID: 86d6c9abd8ec275428fa5454b7acb60ea51a2a5d9e49945607cc6d18155f5dd3
                                                                                                                              • Instruction ID: bf621cff12e37e08e620ce67135f1ed7af3f448e948334f85dda5d4bfe59561b
                                                                                                                              • Opcode Fuzzy Hash: 86d6c9abd8ec275428fa5454b7acb60ea51a2a5d9e49945607cc6d18155f5dd3
                                                                                                                              • Instruction Fuzzy Hash: 28F03AB9900604AFDF04EF54C849BAEBB75FF44325F108448F9156F281C7B5AE10CB98
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0040100B Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000080,00000000), ref: 00401035
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFile
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 823142352-0
                                                                                                                              • Opcode ID: 4f3b07bd40f3d522c7aee41185788622155d2c63125d41ec50d1eaf27111335f
                                                                                                                              • Instruction ID: 2c7a2793617e4f947822ac07c5b0ec67816180b1c4a959a4a58cf2a9e728180f
                                                                                                                              • Opcode Fuzzy Hash: 4f3b07bd40f3d522c7aee41185788622155d2c63125d41ec50d1eaf27111335f
                                                                                                                              • Instruction Fuzzy Hash: 7EE086F16A42086FF7084E34EC06F753399D705B25F144B69BD1AC56E0E675A8509510
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004053C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • IsWindow.USER32(?), ref: 004053D5
                                                                                                                                • Part of subcall function 004B894D: ShowWindow.USER32(?,?,?,004B6C70,00000000,0000E146,00000000,?,?,00402098,0000002C,0000000A), ref: 004B895E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Show
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 990937876-0
                                                                                                                              • Opcode ID: 10eaca586d665bd59372f736d38392cad926d01f32a5e6ef62b59ec4ce0dc1c4
                                                                                                                              • Instruction ID: bf3591042bfef8a7ac9b8e62adde967be53af70fa7cfcff4c7ff55ed3b1a5ef9
                                                                                                                              • Opcode Fuzzy Hash: 10eaca586d665bd59372f736d38392cad926d01f32a5e6ef62b59ec4ce0dc1c4
                                                                                                                              • Instruction Fuzzy Hash: 8EF0A5317197008BD7249B28D564BA777E9EF05706F1504ADA45E9B2A2CB78B840CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00403D79 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00403D80
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 431132790-0
                                                                                                                              • Opcode ID: 3f2dca423c74055454f3b3c662d62741d56569162571df05e91416816b0d3300
                                                                                                                              • Instruction ID: 5515a941255dffa032bcb3759c20b981950cb6b02a4cecc93e5771125058ccba
                                                                                                                              • Opcode Fuzzy Hash: 3f2dca423c74055454f3b3c662d62741d56569162571df05e91416816b0d3300
                                                                                                                              • Instruction Fuzzy Hash: DDF0E530510508DBCB18EF75C485BDE3B75BF40304F00862EB4426B2D1EB38EA44CB84
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004CB483 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 004B894D: ShowWindow.USER32(?,?,?,004B6C70,00000000,0000E146,00000000,?,?,00402098,0000002C,0000000A), ref: 004B895E
                                                                                                                              • ShowOwnedPopups.USER32(?,00000000), ref: 004CB49B
                                                                                                                                • Part of subcall function 004B8B6D: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,004BB972,?,004BB972,00000000,?,?,000000FF,000000FF,00000015), ref: 004B8B95
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ShowWindow$OwnedPopups
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2413815092-0
                                                                                                                              • Opcode ID: 1ee8a6c5a38572d3527425811c51b935c75a3ee2ba2c4016e4faf8b7854e545f
                                                                                                                              • Instruction ID: 95d775233abd1f69a50bff3466d101abaafb5dacebb1ce71043bdd846fb57335
                                                                                                                              • Opcode Fuzzy Hash: 1ee8a6c5a38572d3527425811c51b935c75a3ee2ba2c4016e4faf8b7854e545f
                                                                                                                              • Instruction Fuzzy Hash: 2BE08C72200180BBC3305727EC4CCA77EBDFBCEF20705011EB089471618960A801C674
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0041D761 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 431132790-0
                                                                                                                              • Opcode ID: 0982b9d7c6d6447bcf7e7886ea0aff9b503804373ece7742af4d2f91059f05d7
                                                                                                                              • Instruction ID: c82c482e0c6429a92941809339157213fc0636f57b3459e766a34f661389f167
                                                                                                                              • Opcode Fuzzy Hash: 0982b9d7c6d6447bcf7e7886ea0aff9b503804373ece7742af4d2f91059f05d7
                                                                                                                              • Instruction Fuzzy Hash: 55E02BB4900202CBDB14EFE0C10979DBBA17F00320F108A4ED061872C1DB789D81C795
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0043B94C Relevance: 1.5, APIs: 1, Instructions: 22COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 431132790-0
                                                                                                                              • Opcode ID: 9b83ba0655314f4e37a556a4b6de155a674e27f4f46e4ba5d4396f453d480eca
                                                                                                                              • Instruction ID: 8975a5f96dafda6855f93029d06ed42361a455b31ed2e1dd82acb62b3f23f5c0
                                                                                                                              • Opcode Fuzzy Hash: 9b83ba0655314f4e37a556a4b6de155a674e27f4f46e4ba5d4396f453d480eca
                                                                                                                              • Instruction Fuzzy Hash: 8CE0A970100200CBDB28FFE9C216B6CBAA2BF50304F400A5EE096636C2CFB42504C722
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004D2B63 Relevance: 1.5, APIs: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 004D2B6A
                                                                                                                                • Part of subcall function 004D31EC: RtlEnterCriticalSection.NTDLL(00751018), ref: 004D3226
                                                                                                                                • Part of subcall function 004D31EC: RtlInitializeCriticalSection.NTDLL(?), ref: 004D3238
                                                                                                                                • Part of subcall function 004D31EC: RtlLeaveCriticalSection.NTDLL(00751018), ref: 004D3245
                                                                                                                                • Part of subcall function 004D31EC: RtlEnterCriticalSection.NTDLL(?), ref: 004D3255
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1641187343-0
                                                                                                                              • Opcode ID: 8a7cc949bffc3f1c55c0b4995aa4ef9a20200d60a57f43d420b089c3778747e4
                                                                                                                              • Instruction ID: 78ec497cddfd717cb3eb8d1fff045b4ac5d97da2e09ed5493533672b637149ec
                                                                                                                              • Opcode Fuzzy Hash: 8a7cc949bffc3f1c55c0b4995aa4ef9a20200d60a57f43d420b089c3778747e4
                                                                                                                              • Instruction Fuzzy Hash: 8FE0923420060697E764EFB4C906B8DB6E07F20321F20462BF8D09B3C0DAB19A408715
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00401BAB Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3_strlen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 782648989-0
                                                                                                                              • Opcode ID: 77f7bc30006821a29958f2c4bbffccb0d3b49072c26207cd58cb6d1ce87ecae4
                                                                                                                              • Instruction ID: c0d3374da0a1dc439287b81cb4d1cabab3852fbea1a8714df7ef82b3d37554df
                                                                                                                              • Opcode Fuzzy Hash: 77f7bc30006821a29958f2c4bbffccb0d3b49072c26207cd58cb6d1ce87ecae4
                                                                                                                              • Instruction Fuzzy Hash: 14E0867460091057CF0BBF54881679D6A626F40704F00401EF4447B292DF3D5B1286DD
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004B3CD5 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 004B3CDC
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Exception@8H_prolog3H_prolog3_catchThrow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1377961577-0
                                                                                                                              • Opcode ID: 056d0ac23da770a9f415828359bd401a0104db57860f668a10dc8e5c22ae7a66
                                                                                                                              • Instruction ID: 84e816adfeb80e0627f80a186ab24802854d759c283db3f2d7e03e3fcf9de192
                                                                                                                              • Opcode Fuzzy Hash: 056d0ac23da770a9f415828359bd401a0104db57860f668a10dc8e5c22ae7a66
                                                                                                                              • Instruction Fuzzy Hash: B9E04830E015078BDF48EFB545431ADBEB2AFD4305B34C477E401E6145E5398A439B25
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00492E91 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00492E98
                                                                                                                                • Part of subcall function 0049247F: __EH_prolog3.LIBCMT ref: 00492486
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 431132790-0
                                                                                                                              • Opcode ID: d2225bb162fb305fda03ddef380af5f7b938387385bf41c4c286c3c507b44ea7
                                                                                                                              • Instruction ID: f40f84efc84cb7ea32fc51e235c349be48d5c23038bd9b9444b380acb951bef4
                                                                                                                              • Opcode Fuzzy Hash: d2225bb162fb305fda03ddef380af5f7b938387385bf41c4c286c3c507b44ea7
                                                                                                                              • Instruction Fuzzy Hash: A1E02670A40B55AADF10FB688D06BDD7D956B54B00F50426EB2846B1C2CBF82A01479E
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00401067 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FindCloseChangeNotification.KERNEL32 ref: 00401076
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ChangeCloseFindNotification
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2591292051-0
                                                                                                                              • Opcode ID: d5184d9b09d2be1529850392db2792c83136f6f13d0f3dc67b5608a725ea0b67
                                                                                                                              • Instruction ID: 83cb294aa58a1aa32953ae01fab8f13757e9e32933b898cf421cde06aad7fa49
                                                                                                                              • Opcode Fuzzy Hash: d5184d9b09d2be1529850392db2792c83136f6f13d0f3dc67b5608a725ea0b67
                                                                                                                              • Instruction Fuzzy Hash: C2D05E312186189BD7205EBDAC05492B7ECEA013B13500F77ECF4D3AE0D33098818684
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0049B21C Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0049B223
                                                                                                                                • Part of subcall function 0049A6F5: __EH_prolog3.LIBCMT ref: 0049A6FC
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 431132790-0
                                                                                                                              • Opcode ID: 268965899baa35009ed55d7985054983c7c4cea072cd9c2fdd58425af9011a44
                                                                                                                              • Instruction ID: 5af64875ab721ea2d479c0b5a7cbdefb8929fbe80b725dca7dbbf035c477cdb2
                                                                                                                              • Opcode Fuzzy Hash: 268965899baa35009ed55d7985054983c7c4cea072cd9c2fdd58425af9011a44
                                                                                                                              • Instruction Fuzzy Hash: 23E086709005529ACF15BF64844539D7A916F50304F50016EB14597282DFB85E0187DE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00494BCD Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00494BD4
                                                                                                                                • Part of subcall function 00493E5A: __EH_prolog3.LIBCMT ref: 00493E61
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 431132790-0
                                                                                                                              • Opcode ID: 93c9ccaecbb3fa92279ad36eb0aa0240f293ad26ba26cf516c058dfe3f345915
                                                                                                                              • Instruction ID: c9370370dc4300762a20998a4d30c237e5962e3c0239b04b5e84eb5d88828255
                                                                                                                              • Opcode Fuzzy Hash: 93c9ccaecbb3fa92279ad36eb0aa0240f293ad26ba26cf516c058dfe3f345915
                                                                                                                              • Instruction Fuzzy Hash: C9E08CB09009128ACF1AFFA4C8163DDBEA17F50704F40416EB1859B282CFB85E0187DE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0049A5CC Relevance: 1.5, APIs: 1, Instructions: 17COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 431132790-0
                                                                                                                              • Opcode ID: 70fd2fd428c446c98601ad2d921c309d10dda4974682c86379bc1ed7af2a9136
                                                                                                                              • Instruction ID: 9b0e613fcb040e0f2727c8112f33bf8e7ee4743588f220c7bb375048c98c3490
                                                                                                                              • Opcode Fuzzy Hash: 70fd2fd428c446c98601ad2d921c309d10dda4974682c86379bc1ed7af2a9136
                                                                                                                              • Instruction Fuzzy Hash: 9BE08670501617CBCF28FFB885063BD7EA2BF40314F10066EA0A5572C6CBB42A01D799
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004448CC Relevance: 1.5, APIs: 1, Instructions: 17registryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegCloseKey.ADVAPI32(?,?,004449DB,?,004449ED,?,00444D70,0000000C,0044542D,?,00000001,00000000,?,?,?,004454E5), ref: 004448D7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Close
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3535843008-0
                                                                                                                              • Opcode ID: 82d40b0c88f336ab992d3fa3c17fab83d8e08eb5dde4761dfa95bb71d53fc3aa
                                                                                                                              • Instruction ID: 3d38625a62aa55905e3da18d8033baa83e9d22a5bf85c2335f0f34ff1f719cf5
                                                                                                                              • Opcode Fuzzy Hash: 82d40b0c88f336ab992d3fa3c17fab83d8e08eb5dde4761dfa95bb71d53fc3aa
                                                                                                                              • Instruction Fuzzy Hash: EFD0A772A607124BEB3C8E38E8067B676D8BF08324F145B3E544BC36C0DB6CD844865C
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004448A0 Relevance: 1.5, APIs: 1, Instructions: 17registryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegCloseKey.KERNEL32(?,?,004449D4,?,004449ED,?,00444D70,0000000C,0044542D,?,00000001,00000000,?,?,?,004454E5), ref: 004448AB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Close
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3535843008-0
                                                                                                                              • Opcode ID: db3b1c38f9f89b360529ed9fce9be2f5a3619a48cbb9e826765914fccc7d31d6
                                                                                                                              • Instruction ID: e917cf194c724aebc0155a8f253f845af1eff8a635c946eb43483ec416ea8548
                                                                                                                              • Opcode Fuzzy Hash: db3b1c38f9f89b360529ed9fce9be2f5a3619a48cbb9e826765914fccc7d31d6
                                                                                                                              • Instruction Fuzzy Hash: 7DD0A772B607114BEB3C8E29E8067B637D89F08724F141B3E540FC26C0C66CD844865C
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004019B2 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _strlen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4218353326-0
                                                                                                                              • Opcode ID: f610e71837fda57ba0704dfed6013f9328de71b2def3e1478a2ab0c17d0b684a
                                                                                                                              • Instruction ID: 70b7c1fba3fa54e2513cb73effcb1cb93493a030d389469eeda3df0ca5a38489
                                                                                                                              • Opcode Fuzzy Hash: f610e71837fda57ba0704dfed6013f9328de71b2def3e1478a2ab0c17d0b684a
                                                                                                                              • Instruction Fuzzy Hash: 02D0C9721101286E9B152E64E8018BE7B9DDB507A1700C03BFE049A2A1EA759E9096E8
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0049B260 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0049B267
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                                • Part of subcall function 0049B21C: __EH_prolog3.LIBCMT ref: 0049B223
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_malloc
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1683881009-0
                                                                                                                              • Opcode ID: a0a53f325660f74bfbd1f73e3748d373e4863111c5ae2561d4d7b149cec002af
                                                                                                                              • Instruction ID: 6804d3dbd8772e955c34fe946930d8275dde2fd07f02d26f2fc5bdf1deaa9f40
                                                                                                                              • Opcode Fuzzy Hash: a0a53f325660f74bfbd1f73e3748d373e4863111c5ae2561d4d7b149cec002af
                                                                                                                              • Instruction Fuzzy Hash: ACD0A7656401064ADF4CFBF8560636C1D91AF48300F00417EE108DE2C1EE3405414669
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004A54E7 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004A54EE
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                                • Part of subcall function 004A51BC: __EH_prolog3.LIBCMT ref: 004A51C3
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_malloc
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1683881009-0
                                                                                                                              • Opcode ID: ac585c5dbe608006666a736f47737a8a9b21b8667c16c645131b4eb93ee122fa
                                                                                                                              • Instruction ID: 9f3cfc6ca601d2ceb662abab7bcc2831cc351385507c3cca27cc441545fa7249
                                                                                                                              • Opcode Fuzzy Hash: ac585c5dbe608006666a736f47737a8a9b21b8667c16c645131b4eb93ee122fa
                                                                                                                              • Instruction Fuzzy Hash: 6BD0A764A015024ADF4CFBF8060236C18923B54304F44812EA108DA282ED3405014729
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0049B6EE Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0049B6F5
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                                • Part of subcall function 0049B6BF: __EH_prolog3.LIBCMT ref: 0049B6C6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_malloc
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1683881009-0
                                                                                                                              • Opcode ID: 26ab3fdd207691da395a357fdbff512ff9a822558e0cfca97220e601c979df5a
                                                                                                                              • Instruction ID: 4fbf2487f9102fde76b59471fbb79e8a2e516566721050e000bba067d66e0eec
                                                                                                                              • Opcode Fuzzy Hash: 26ab3fdd207691da395a357fdbff512ff9a822558e0cfca97220e601c979df5a
                                                                                                                              • Instruction Fuzzy Hash: 8AD0A7656001124ADF1CFFF8160237C2CE16F84300F00423EE108DA281EE341940466A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004B876E Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetDlgItemTextA.USER32(?,?,?), ref: 004B8782
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ItemText
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3367045223-0
                                                                                                                              • Opcode ID: 4a49ff6d043cade1bf5420b34ef3de4c80269102bd6716103146f925be0cd26c
                                                                                                                              • Instruction ID: c7a0fd1a567b4702c86ec7b5c7c9aa05e55f3f45dd4f1aa552d1e37f61c93377
                                                                                                                              • Opcode Fuzzy Hash: 4a49ff6d043cade1bf5420b34ef3de4c80269102bd6716103146f925be0cd26c
                                                                                                                              • Instruction Fuzzy Hash: 58D01232100508DFCB405F40D848AA53BA9FB58315F6080A9E55C0A522CB339862DB40
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00497C42 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00497C49
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                                • Part of subcall function 00497C09: __EH_prolog3.LIBCMT ref: 00497C10
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_malloc
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1683881009-0
                                                                                                                              • Opcode ID: 2d760c4596559ddcf92df6c274c2bdb9cc3ddbeb34fa375ed53a3abf0e38b908
                                                                                                                              • Instruction ID: cfc93cbe0e52640c19a475a1c784f4a920168cdcce7a8ba29dc63274a0bad243
                                                                                                                              • Opcode Fuzzy Hash: 2d760c4596559ddcf92df6c274c2bdb9cc3ddbeb34fa375ed53a3abf0e38b908
                                                                                                                              • Instruction Fuzzy Hash: 77D0A764A041024ADF0CFBF8094639C1C913B48301F44453FA108DA281F97415404729
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00494C11 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00494C18
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                                • Part of subcall function 00494BCD: __EH_prolog3.LIBCMT ref: 00494BD4
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_malloc
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1683881009-0
                                                                                                                              • Opcode ID: a0a53f325660f74bfbd1f73e3748d373e4863111c5ae2561d4d7b149cec002af
                                                                                                                              • Instruction ID: 4726b98e77acdfa6c9562c6c5c54724581029f320d9bbc14561950200a3373ca
                                                                                                                              • Opcode Fuzzy Hash: a0a53f325660f74bfbd1f73e3748d373e4863111c5ae2561d4d7b149cec002af
                                                                                                                              • Instruction Fuzzy Hash: DFD0A7656001064ADF1CFBF8450276C1C912F84304F00423FB118DA2C1FD3455424629
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00493CA8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00493CAF
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                                • Part of subcall function 00492E91: __EH_prolog3.LIBCMT ref: 00492E98
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_malloc
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1683881009-0
                                                                                                                              • Opcode ID: 1c4d2af1ef4808458cff65c6b57620736680b1bcdbbfecedf828336fd7f1c24a
                                                                                                                              • Instruction ID: 14bdd4c944f82d78484cd96270e6dc7ac4d1beb2e38a3326e3390376c06475da
                                                                                                                              • Opcode Fuzzy Hash: 1c4d2af1ef4808458cff65c6b57620736680b1bcdbbfecedf828336fd7f1c24a
                                                                                                                              • Instruction Fuzzy Hash: 32D0A7697002018ADF1CFFF8060639C1C912B44300F00413FB108EA2C1E97416004629
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0041E095 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0041E09C
                                                                                                                                • Part of subcall function 004CA253: __EH_prolog3.LIBCMT ref: 004CA25A
                                                                                                                                • Part of subcall function 004CA253: __strdup.LIBCMT ref: 004CA27C
                                                                                                                                • Part of subcall function 004CA253: GetCurrentThread.KERNEL32 ref: 004CA2A9
                                                                                                                                • Part of subcall function 004CA253: GetCurrentThreadId.KERNEL32 ref: 004CA2B2
                                                                                                                                • Part of subcall function 004060C0: __EH_prolog3.LIBCMT ref: 004060C7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$CurrentThread$__strdup
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 420856885-0
                                                                                                                              • Opcode ID: e9ade39488ba1e3a5bf21aaeb2043b53d6a1c64dd407c6f981127a9b125fd0f3
                                                                                                                              • Instruction ID: e38e78fc9db42415650a20d15b514721e5dd9209ba0cb4ae35b9122df1054bc2
                                                                                                                              • Opcode Fuzzy Hash: e9ade39488ba1e3a5bf21aaeb2043b53d6a1c64dd407c6f981127a9b125fd0f3
                                                                                                                              • Instruction Fuzzy Hash: 1DD0A7B89017158BDB24FF64C81678D7E61BF54714F40854DF149572C1DFB92904C79A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004B894D Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ShowWindow.USER32(?,?,?,004B6C70,00000000,0000E146,00000000,?,?,00402098,0000002C,0000000A), ref: 004B895E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ShowWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1268545403-0
                                                                                                                              • Opcode ID: cbab26d748e0a15bd5f1df365a745f320e5b199e5a708dbeb22ae0832455a3fa
                                                                                                                              • Instruction ID: 39898d7e4c467fc577bf6393c6c6583a5500d8ff6fd4101759beb814fc527ad9
                                                                                                                              • Opcode Fuzzy Hash: cbab26d748e0a15bd5f1df365a745f320e5b199e5a708dbeb22ae0832455a3fa
                                                                                                                              • Instruction Fuzzy Hash: D4D09EB2144608DFCB409F41D808BA177A9FB55315F5040AAE5485A522C7339862DF55
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005B8B91 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 005B6027: __lock.LIBCMT ref: 005B6029
                                                                                                                              • __onexit_nolock.LIBCMT ref: 005B8BA9
                                                                                                                                • Part of subcall function 005B8AAA: RtlDecodePointer.NTDLL(?), ref: 005B8ABF
                                                                                                                                • Part of subcall function 005B8AAA: RtlDecodePointer.NTDLL ref: 005B8ACC
                                                                                                                                • Part of subcall function 005B8AAA: __realloc_crt.LIBCMT ref: 005B8B09
                                                                                                                                • Part of subcall function 005B8AAA: __realloc_crt.LIBCMT ref: 005B8B1F
                                                                                                                                • Part of subcall function 005B8AAA: RtlEncodePointer.NTDLL(00000000), ref: 005B8B31
                                                                                                                                • Part of subcall function 005B8AAA: RtlEncodePointer.NTDLL(000000C7), ref: 005B8B45
                                                                                                                                • Part of subcall function 005B8AAA: RtlEncodePointer.NTDLL(-00000004), ref: 005B8B4D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3536590627-0
                                                                                                                              • Opcode ID: 1a6e4c484800c091bfcd12225422a7768afb95a27e72c5eae6818f9832374a39
                                                                                                                              • Instruction ID: 49f602f23efd1951346255d47a57de7aaca6c853742068e71714724c438f5c96
                                                                                                                              • Opcode Fuzzy Hash: 1a6e4c484800c091bfcd12225422a7768afb95a27e72c5eae6818f9832374a39
                                                                                                                              • Instruction Fuzzy Hash: 98D067B190520BEADB50BBA4D90ABEDBEA4BF80321F604255B114661D2CAB87641DA15
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0041E10C Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0041E113
                                                                                                                                • Part of subcall function 00405462: __EH_prolog3.LIBCMT ref: 00405469
                                                                                                                                • Part of subcall function 00405462: FreeLibrary.KERNEL32(?), ref: 004055CA
                                                                                                                                • Part of subcall function 004CA34D: __EH_prolog3_catch_GS.LIBCMT ref: 004CA357
                                                                                                                                • Part of subcall function 004CA34D: GlobalDeleteAtom.KERNEL32(?), ref: 004CA402
                                                                                                                                • Part of subcall function 004CA34D: GlobalDeleteAtom.KERNEL32(?), ref: 004CA415
                                                                                                                                • Part of subcall function 004CA34D: _free.LIBCMT ref: 004CA447
                                                                                                                                • Part of subcall function 004CA34D: _free.LIBCMT ref: 004CA44F
                                                                                                                                • Part of subcall function 004CA34D: _free.LIBCMT ref: 004CA457
                                                                                                                                • Part of subcall function 004CA34D: _free.LIBCMT ref: 004CA45F
                                                                                                                                • Part of subcall function 004CA34D: _free.LIBCMT ref: 004CA467
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$AtomDeleteGlobalH_prolog3$FreeH_prolog3_catch_Library
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 675080141-0
                                                                                                                              • Opcode ID: 7466d3e1515d5cb88e22c3c93ff0e0474a769487ebb5655857fb6e72d2c17b76
                                                                                                                              • Instruction ID: e8e89a98196806cacb9f970270850bf3e739947f70bfdd30f47313702fc2b245
                                                                                                                              • Opcode Fuzzy Hash: 7466d3e1515d5cb88e22c3c93ff0e0474a769487ebb5655857fb6e72d2c17b76
                                                                                                                              • Instruction Fuzzy Hash: 70D05E74501A15CACB28FBA4C8177DC7A22BB40324F40835DB065571D1DF782A058B9A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0049B6BF Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0049B6C6
                                                                                                                                • Part of subcall function 0049B2E6: __EH_prolog3.LIBCMT ref: 0049B2ED
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 431132790-0
                                                                                                                              • Opcode ID: 960e5c1a84d83fbb9b47a9c1299279ac63d44f9ed5df5f3002a0f6caba85c7e6
                                                                                                                              • Instruction ID: 1b63b986fec2be6298a8efe622d74afaac5772fd3af8e43fe5bb394f675c7fbe
                                                                                                                              • Opcode Fuzzy Hash: 960e5c1a84d83fbb9b47a9c1299279ac63d44f9ed5df5f3002a0f6caba85c7e6
                                                                                                                              • Instruction Fuzzy Hash: 75D0237060051347CF05BFA9554934D7D62BF44704F10415DF10047241DBF84D01C7DD
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044413A Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FreeLibrary.KERNEL32(00000000,00000000), ref: 00444151
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeLibrary
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3664257935-0
                                                                                                                              • Opcode ID: 103f927f602f5a0317de6a2c5cd1cfa53a8ab444d2c6c0327b1a273052c33ba3
                                                                                                                              • Instruction ID: d4e69dbf1e194ba49a87958b2119b5c4a679d8064e8341f04c3b2b0b6db8d1d1
                                                                                                                              • Opcode Fuzzy Hash: 103f927f602f5a0317de6a2c5cd1cfa53a8ab444d2c6c0327b1a273052c33ba3
                                                                                                                              • Instruction Fuzzy Hash: 5AD0C9385102109BF7518F26EC0D75232A9B3A5727F408857E411862A1C7FCC844CF28
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005B5A3A Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __waccess_s
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4272103461-0
                                                                                                                              • Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                                                              • Instruction ID: 06a8dfc5b5382ff6f70570218ebd444095adc4c1c8c94db762e3e7e7b38cb168
                                                                                                                              • Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                                                              • Instruction Fuzzy Hash: 79C09B3305410DBF5F095EE6EC05C553F5AD6C0B707104115FD1C895D1DD32E5519540
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004B7F10 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DeleteObject.GDI32(00000000), ref: 004B7F1F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DeleteObject
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1531683806-0
                                                                                                                              • Opcode ID: 8dee5854ebe7aa5f13c9033a5ab4ff6aeade993cfb45559b4498977012504771
                                                                                                                              • Instruction ID: 00a8a13074e23b8742a44423fba3bf5989ccb7d2aceae7f2bf33efe7f2b7f19c
                                                                                                                              • Opcode Fuzzy Hash: 8dee5854ebe7aa5f13c9033a5ab4ff6aeade993cfb45559b4498977012504771
                                                                                                                              • Instruction Fuzzy Hash: 83B09260829101AACF40AB3099087672658DB8134EF00ACDAF000C2411DA3DC8629568
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005C0751 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RtlEncodePointer.NTDLL(00000000), ref: 005C0753
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: EncodePointer
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2118026453-0
                                                                                                                              • Opcode ID: 905165860b6ed8c8715898cef22770677476cbdf78b9dcccd65c6754a04bb9de
                                                                                                                              • Instruction ID: 5761ffe3777639a9d3f19702e4ed114a9c722a50efb098d2d1832c376bda3d2f
                                                                                                                              • Opcode Fuzzy Hash: 905165860b6ed8c8715898cef22770677476cbdf78b9dcccd65c6754a04bb9de
                                                                                                                              • Instruction Fuzzy Hash:
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Non-executed Functions

                                                                                                                              Function 00456018 Relevance: 61.6, APIs: 26, Strings: 9, Instructions: 351libraryloaderfileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • _memset.LIBCMT ref: 004560BD
                                                                                                                              • _memset.LIBCMT ref: 004560D6
                                                                                                                              • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?), ref: 0045611A
                                                                                                                              • GetTempFileNameA.KERNEL32(?,IRWIN,00000000,?), ref: 00456134
                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 00456146
                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 00456153
                                                                                                                              • _memset.LIBCMT ref: 0045617B
                                                                                                                              • _memset.LIBCMT ref: 00456193
                                                                                                                              • _memset.LIBCMT ref: 004561AC
                                                                                                                              • _memset.LIBCMT ref: 004561C5
                                                                                                                              • _memset.LIBCMT ref: 004561DA
                                                                                                                              • _memset.LIBCMT ref: 004561F3
                                                                                                                              • LoadLibraryA.KERNEL32 ref: 00456238
                                                                                                                              • GetProcAddress.KERNEL32(00000000,InternetQueryOptionA), ref: 0045624E
                                                                                                                              • _strncpy.LIBCMT ref: 00456298
                                                                                                                              • GetProcAddress.KERNEL32(?,DetectAutoProxyUrl), ref: 004562B6
                                                                                                                              • GlobalFree.KERNEL32(?), ref: 004562E4
                                                                                                                              • GlobalFree.KERNEL32(?), ref: 004562F8
                                                                                                                              • GlobalFree.KERNEL32(?), ref: 0045630C
                                                                                                                              • FreeLibrary.KERNEL32(?), ref: 00456318
                                                                                                                              • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0045633B
                                                                                                                              • LoadLibraryA.KERNEL32(jsproxy.dll), ref: 0045634D
                                                                                                                              • GetProcAddress.KERNEL32(00000000,InternetInitializeAutoProxyDll), ref: 00456363
                                                                                                                              • GetProcAddress.KERNEL32(?,InternetGetProxyInfo), ref: 00456453
                                                                                                                              • GetProcAddress.KERNEL32(?,InternetDeInitializeAutoProxyDll), ref: 004564CE
                                                                                                                              • FreeLibrary.KERNEL32(?), ref: 00456514
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memset$AddressFreeProc$FileLibrary$Global$LoadTemp$AttributesDeleteDownloadH_prolog3NamePath_strncpy
                                                                                                                              • String ID: %s; DIRECT$DetectAutoProxyUrl$IRWIN$InternetDeInitializeAutoProxyDll$InternetGetProxyInfo$InternetInitializeAutoProxyDll$InternetQueryOptionA$jsproxy.dll$wininet.dll
                                                                                                                              • API String ID: 4184236387-3288637522
                                                                                                                              • Opcode ID: 606f42a76f94bfec8ab23838f5364e068ad5f7ca1bddbfc8f05c004e9364ab74
                                                                                                                              • Instruction ID: 2b89044c4d1fa97e4a93ad672681e0552d21f9dd0047828ba835c0180919aa9b
                                                                                                                              • Opcode Fuzzy Hash: 606f42a76f94bfec8ab23838f5364e068ad5f7ca1bddbfc8f05c004e9364ab74
                                                                                                                              • Instruction Fuzzy Hash: 52E14B71800129AFDB25EF64CC89ADEB7B9AF54305F4041EBF509A3291DB785E88DF24
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00644500 Relevance: 36.9, Strings: 29, Instructions: 678COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memset$CapsDevice
                                                                                                                              • String ID: $#$#$###$%$%$&$&$'$'$'$($*$+$+$+$.$.$2$2$=$=$=$F$K$P$P$TREEVIEW$U
                                                                                                                              • API String ID: 4259712331-1572848309
                                                                                                                              • Opcode ID: 029aa2a5590a31450cfd1a517c5eb389843472d0ae2eba93f2aa9959f5e9c58b
                                                                                                                              • Instruction ID: 26a98f4255d575996a039936bf46db6046d671b1156a92118600f7e8cfc1dbc3
                                                                                                                              • Opcode Fuzzy Hash: 029aa2a5590a31450cfd1a517c5eb389843472d0ae2eba93f2aa9959f5e9c58b
                                                                                                                              • Instruction Fuzzy Hash: C052C6B0E0021A8BDB689F55CC957EEBAF2EF84300F1045AEE149AB781DF744A85DF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0048C587 Relevance: 25.1, APIs: 2, Strings: 12, Instructions: 589COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0048C58E
                                                                                                                              • __wcstoui64.LIBCMT ref: 0048C64A
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$Exception@8Throw__wcstoui64_malloc
                                                                                                                              • String ID: BannerStyle$Control$Controls$Event$Events$Languages$Name$OverrideProjTheme$SUF70Messages$Screen$TemplateName$Type
                                                                                                                              • API String ID: 656894965-1496283926
                                                                                                                              • Opcode ID: adbfcfa7ba50de28cd8da4bb763e84f3468c5aea1286a758add6620df81d8375
                                                                                                                              • Instruction ID: e2ceec6e78e82a4b372589e6120e03302e645cdcc8d116ce0fe9af776fdee5db
                                                                                                                              • Opcode Fuzzy Hash: adbfcfa7ba50de28cd8da4bb763e84f3468c5aea1286a758add6620df81d8375
                                                                                                                              • Instruction Fuzzy Hash: 17227471A00605DFCB14EF69C4D16AE7BE1BF05704B10892FF05ADB381DB389A45DBA9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00532231 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 340COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00532238
                                                                                                                                • Part of subcall function 0051D395: FillRect.USER32(?,00000020), ref: 0051D3A9
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FillH_prolog3Rect
                                                                                                                              • String ID: d
                                                                                                                              • API String ID: 1863035756-2564639436
                                                                                                                              • Opcode ID: 109641c05fc1234c889fd8936556ff959c9cfc6cb5479d285a569becb4cc3750
                                                                                                                              • Instruction ID: 7cf71ced5e7cc05471913a4018555806e493a5ad3420f147ccc02e3871bb8968
                                                                                                                              • Opcode Fuzzy Hash: 109641c05fc1234c889fd8936556ff959c9cfc6cb5479d285a569becb4cc3750
                                                                                                                              • Instruction Fuzzy Hash: 36C19B7190061AAFCF14DFA8CC959EEBFB5BF48310F10452AF551EA291C738DA51DBA0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005D656A Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _strlen$__snprintf$H_prolog3_LocalTime
                                                                                                                              • String ID: 0%d
                                                                                                                              • API String ID: 2764676485-2030455076
                                                                                                                              • Opcode ID: 4970c43f7d3216292b8033e34e97797c6d38c94478809dfbf031d517fdd216ac
                                                                                                                              • Instruction ID: 408cd10bde44bc553a6376a0e6a6d495c2a4fd1263f7b1e2614ce7aa90374674
                                                                                                                              • Opcode Fuzzy Hash: 4970c43f7d3216292b8033e34e97797c6d38c94478809dfbf031d517fdd216ac
                                                                                                                              • Instruction Fuzzy Hash: 49318170D0010A6EDB01AFA8DC56DFEBBBEFF44705B40451BF500A3282DB78AD4687A5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044A1CC Relevance: 18.3, APIs: 12, Instructions: 346fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0044A1D6
                                                                                                                                • Part of subcall function 00485930: __EH_prolog3.LIBCMT ref: 00485937
                                                                                                                                • Part of subcall function 00485930: __time64.LIBCMT ref: 0048598D
                                                                                                                                • Part of subcall function 00485930: __time64.LIBCMT ref: 00485993
                                                                                                                                • Part of subcall function 00485930: __time64.LIBCMT ref: 00485999
                                                                                                                                • Part of subcall function 0041E239: __mbsinc.LIBCMT ref: 0041E25A
                                                                                                                              • _strlen.LIBCMT ref: 0044A263
                                                                                                                                • Part of subcall function 00403C07: _strnlen.LIBCMT ref: 00403C37
                                                                                                                                • Part of subcall function 00403C07: _memcpy_s.LIBCMT ref: 00403C6B
                                                                                                                                • Part of subcall function 00405B76: __EH_prolog3.LIBCMT ref: 00405B7D
                                                                                                                              • FindFirstFileA.KERNEL32(?,?,?,00000000,?), ref: 0044A2C1
                                                                                                                              • IsWindow.USER32(?), ref: 0044A2D7
                                                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 0044A438
                                                                                                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0044A4BE
                                                                                                                              • FindClose.KERNEL32(000000FF), ref: 0044A4D2
                                                                                                                              • FindFirstFileA.KERNEL32(?,?), ref: 0044A535
                                                                                                                              • IsWindow.USER32(?), ref: 0044A59C
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                                • Part of subcall function 00475113: __EH_prolog3.LIBCMT ref: 0047511A
                                                                                                                                • Part of subcall function 004B8882: IsWindow.USER32(?), ref: 004B8896
                                                                                                                                • Part of subcall function 00449FCA: __EH_prolog3.LIBCMT ref: 00449FD1
                                                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 0044A65A
                                                                                                                              • FindNextFileA.KERNEL32(00000000,00000010), ref: 0044A678
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0044A687
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Find$FileH_prolog3$Window__time64$CloseFirstIncrementInterlockedNext_memcpy_s$H_prolog3___mbsinc_strlen_strnlen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 968620008-0
                                                                                                                              • Opcode ID: 0554961d7f6759f72fd1560f7a80a8bb58357d64459ff3222d7c0cf70b037335
                                                                                                                              • Instruction ID: 077aed5ee25add7a01d95150901a5cd30f4a91839218a469bac76b62b0b7ce0a
                                                                                                                              • Opcode Fuzzy Hash: 0554961d7f6759f72fd1560f7a80a8bb58357d64459ff3222d7c0cf70b037335
                                                                                                                              • Instruction Fuzzy Hash: 5BE18C71900618DBDB25DFA8CC49BDE77B8AF15318F0402DEB419A62D2DB389E84CF65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004C8661 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 429COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004C8668
                                                                                                                              • _strlen.LIBCMT ref: 004C8727
                                                                                                                              • _strlen.LIBCMT ref: 004C8731
                                                                                                                              • _strlen.LIBCMT ref: 004C87A1
                                                                                                                              • _memcpy_s.LIBCMT ref: 004C87E7
                                                                                                                                • Part of subcall function 004B4AE6: __EH_prolog3.LIBCMT ref: 004B4AED
                                                                                                                              • _strlen.LIBCMT ref: 004C87FC
                                                                                                                              • _memcpy_s.LIBCMT ref: 004C8847
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              • PathRemoveFileSpecW.SHLWAPI(?,?,00000000,00000000,?,?,?,?,?,00000000,00000000,00000218), ref: 004C895E
                                                                                                                                • Part of subcall function 004B4379: _wmemcpy_s.LIBCPMT ref: 004B43BD
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _strlen$H_prolog3$_memcpy_s$Exception@8FilePathRemoveSpecThrow_wmemcpy_s
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1565231592-3916222277
                                                                                                                              • Opcode ID: dc5b885059167bdfb66de8da1d07356e8572bdc1a22c39934d02a331e23f6957
                                                                                                                              • Instruction ID: 39400909ded5966ca4e9e5b1b361c1bd5eff571311a8e45c49c752dee28b4919
                                                                                                                              • Opcode Fuzzy Hash: dc5b885059167bdfb66de8da1d07356e8572bdc1a22c39934d02a331e23f6957
                                                                                                                              • Instruction Fuzzy Hash: D402CE75A01206CFCF58DFA4C945FBEB7B5BF84315F14026EE511AB2A2DB389A01CB64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004860CD Relevance: 9.2, APIs: 6, Instructions: 248fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 004860D7
                                                                                                                                • Part of subcall function 00485930: __EH_prolog3.LIBCMT ref: 00485937
                                                                                                                                • Part of subcall function 00485930: __time64.LIBCMT ref: 0048598D
                                                                                                                                • Part of subcall function 00485930: __time64.LIBCMT ref: 00485993
                                                                                                                                • Part of subcall function 00485930: __time64.LIBCMT ref: 00485999
                                                                                                                                • Part of subcall function 00405B76: __EH_prolog3.LIBCMT ref: 00405B7D
                                                                                                                              • FindFirstFileA.KERNEL32(?,?,00000000,00698DAC,00000000), ref: 0048617E
                                                                                                                                • Part of subcall function 004850AA: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004850DC
                                                                                                                              • IsWindow.USER32(?), ref: 0048619B
                                                                                                                              • InterlockedIncrement.KERNEL32(00000000), ref: 0048636A
                                                                                                                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004863F4
                                                                                                                              • FindClose.KERNEL32(000000FF), ref: 0048640C
                                                                                                                                • Part of subcall function 00485382: __EH_prolog3.LIBCMT ref: 00485389
                                                                                                                                • Part of subcall function 004B8882: IsWindow.USER32(?), ref: 004B8896
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FindH_prolog3__time64$FileWindow$CloseFirstH_prolog3_IncrementInterlockedMessageNextPeek
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 499981334-0
                                                                                                                              • Opcode ID: 648d4275f7f3c1845034083f7b4d3d312dfc6ceafe13cf993faa4f6d34bdf3cd
                                                                                                                              • Instruction ID: 7494a8360f8e5c29ec65089434091a27dbf0108b0ef7a2a7593475d563dee931
                                                                                                                              • Opcode Fuzzy Hash: 648d4275f7f3c1845034083f7b4d3d312dfc6ceafe13cf993faa4f6d34bdf3cd
                                                                                                                              • Instruction Fuzzy Hash: 0FA18D71900618DBCB15EFA8CC45BDE77B8AF05324F0402DAB519A73D2DB389A84CF55
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005DA56E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 213COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 005DA575
                                                                                                                                • Part of subcall function 005D31F9: __EH_prolog3_catch.LIBCMT ref: 005D3200
                                                                                                                                • Part of subcall function 005D31F9: TlsGetValue.KERNEL32(00000000,0000000C,005D68EE,00000408,005D2578,00000011,is5_GetHBITMAPDimensions,00000000), ref: 005D3217
                                                                                                                                • Part of subcall function 005D31F9: TlsSetValue.KERNEL32(?,00000000), ref: 005D324E
                                                                                                                                • Part of subcall function 005D31F9: GetLastError.KERNEL32(?,00000000), ref: 005D3258
                                                                                                                                • Part of subcall function 005D31F9: __CxxThrowException@8.LIBCMT ref: 005D326A
                                                                                                                                • Part of subcall function 005D31F9: RtlEnterCriticalSection.NTDLL(?), ref: 005D3273
                                                                                                                                • Part of subcall function 005D31F9: RtlLeaveCriticalSection.NTDLL(?), ref: 005D3289
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CriticalSectionValue$EnterErrorException@8H_prolog3H_prolog3_catchLastLeaveThrow
                                                                                                                              • String ID: \lv$\lv
                                                                                                                              • API String ID: 3824262711-1248172524
                                                                                                                              • Opcode ID: 11308860366b7c883d8f88fb7039b14e1742dd9f1ce92b642fe51a575e00848e
                                                                                                                              • Instruction ID: 94b568a08275849e2ae8b7f4840a1345831ae3ea82473afeb9951e50fcf8cb66
                                                                                                                              • Opcode Fuzzy Hash: 11308860366b7c883d8f88fb7039b14e1742dd9f1ce92b642fe51a575e00848e
                                                                                                                              • Instruction Fuzzy Hash: AB819C35A0428ADBCF25DF2CC4511EE7FB2FF89314B29856BE8599B342D634D941CB82
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044658E Relevance: 1.6, APIs: 1, Instructions: 55serviceCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateServiceA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004465F5
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateService
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1592570254-0
                                                                                                                              • Opcode ID: fcc468ca0262f4d24dddf22ef27b21f886faff025ed9febb6d27ccd9b66b1bc0
                                                                                                                              • Instruction ID: 14e27b65de38494583534c202d89320e41258d1366f53594c3af0feef897a22e
                                                                                                                              • Opcode Fuzzy Hash: fcc468ca0262f4d24dddf22ef27b21f886faff025ed9febb6d27ccd9b66b1bc0
                                                                                                                              • Instruction Fuzzy Hash: BF118232200105FFEF125F65DD00AEB3BAAEF09354F06852AFD1591160D735D861EF55
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044665D Relevance: 1.5, APIs: 1, Instructions: 20serviceCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DeleteService.ADVAPI32(?), ref: 00446671
                                                                                                                                • Part of subcall function 00446385: GetLastError.KERNEL32(?,?,004463C1,00000000,?,0044648E,?,00442845,00000004), ref: 00446392
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DeleteErrorLastService
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2624721794-0
                                                                                                                              • Opcode ID: 7b44eafab7cdb904cbeaf4d9293198b9d76f66c0df4276558a7801e48be1427d
                                                                                                                              • Instruction ID: f87340a0c3915b5f4fa2438ffc14ac151fa7b20e61513ccc49f30c6027448dc0
                                                                                                                              • Opcode Fuzzy Hash: 7b44eafab7cdb904cbeaf4d9293198b9d76f66c0df4276558a7801e48be1427d
                                                                                                                              • Instruction Fuzzy Hash: A7D0A73125592005BB607A353C016D715898B02691B0B042BB80DC0144DE59CC428199
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005D0460 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: N@
                                                                                                                              • API String ID: 0-1509896676
                                                                                                                              • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                                                              • Instruction ID: 701dfd93812aa6a2f10aa8cb1683978420a17b58da22190379c75f13928cda00
                                                                                                                              • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                                                              • Instruction Fuzzy Hash: C16137729013158FCB28CF49D4846AABBF2BF84310F1AC5AFD9095B3A2D7B19955CB84
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00478318 Relevance: 189.4, APIs: 84, Strings: 24, Instructions: 439COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00478322
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                              • _memset.LIBCMT ref: 00478346
                                                                                                                              • _memset.LIBCMT ref: 0047835D
                                                                                                                              • GetVersionExA.KERNEL32 ref: 004783F0
                                                                                                                              • GetVersionExA.KERNEL32(?), ref: 00478416
                                                                                                                              • GetSystemMetrics.USER32(00000059), ref: 004784ED
                                                                                                                              • GetSystemMetrics.USER32(00000057), ref: 004784F7
                                                                                                                              • GetSystemMetrics.USER32(00000058), ref: 00478501
                                                                                                                              • GetSystemMetrics.USER32(00000056), ref: 0047850B
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000,00000000), ref: 0047852C
                                                                                                                              • lua_pushstring.LUA5.1(?,MajorVersion,?,00699430,?,?,00000000,00000000,00000000), ref: 0047854E
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,MajorVersion,?,00699430,?,?,00000000,00000000,00000000), ref: 0047855A
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,MajorVersion,?,00699430,?,?,00000000,00000000,00000000), ref: 00478564
                                                                                                                              • lua_pushstring.LUA5.1(?,MinorVersion,?,00699430,?,?,000000FD,?,?,?,MajorVersion,?,00699430,?,?,00000000), ref: 00478586
                                                                                                                              • lua_pushstring.LUA5.1(?,?), ref: 00478595
                                                                                                                                • Part of subcall function 004593D3: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 004593E5
                                                                                                                                • Part of subcall function 004593D3: lua_pushstring.LUA5.1(?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 004593F0
                                                                                                                                • Part of subcall function 004593D3: lua_gettable.LUA5.1(?,000000FE,?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 004593F8
                                                                                                                                • Part of subcall function 004593D3: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 00459400
                                                                                                                                • Part of subcall function 004593D3: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 00459408
                                                                                                                                • Part of subcall function 004593D3: lua_pushnumber.LUA5.1(?,?,?,?,?,?,?,?,?,?,?,00407717,?,00000000), ref: 0045941E
                                                                                                                                • Part of subcall function 004593D3: lua_pcall.LUA5.1(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00407717), ref: 0045942A
                                                                                                                                • Part of subcall function 004593D3: lua_remove.LUA5.1(?,000000FF,?,?,?,?,?,?,?,?,00407717,?,00000000), ref: 00459439
                                                                                                                              • lua_pushnil.LUA5.1(?), ref: 00478953
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_pushstring.$MetricsSystemlua_remove.$Version_memsetlua_getfield.lua_gettable.lua_pcall.lua_type.$H_prolog3_lua_createtable.lua_pushnil.lua_pushnumber.lua_settable.
                                                                                                                              • String ID: BackOffice$Blade$BuildNumber$CSDVersion$Communications$ComputeServer$DataCenter$EmbeddedNT$Enterprise$MajorVersion$MinorVersion$Personal$PlatformId$ProductType$Server2003R2$ServicePackMajor$ServicePackMinor$SingleUserTerminalService$SmallBusiness$SmallBusinessRestricted$StarterEdition$TabletPCEdition$Terminal$XPMediaCenterEdition
                                                                                                                              • API String ID: 4198366811-4272276067
                                                                                                                              • Opcode ID: fba31b90052455933ebeaf49e445128a3895119376b57364f4523a0a205c0366
                                                                                                                              • Instruction ID: ca089eadf3be6d0a966c28e9d2eb6daac2bb1133f682b5891abd011e6012ac18
                                                                                                                              • Opcode Fuzzy Hash: fba31b90052455933ebeaf49e445128a3895119376b57364f4523a0a205c0366
                                                                                                                              • Instruction Fuzzy Hash: 82E13E71809A24AADB217F638C06FDE7A79AF5630AF00419EF10C75157DB385B818E69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0041E503 Relevance: 93.1, APIs: 44, Strings: 9, Instructions: 398stringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,CD12B711,?,?,SetupValues,00000000,006770A3,000000FF,?,?,?,0000000A,?,00000001), ref: 0041E545
                                                                                                                              • GetFullPathNameA.KERNEL32(?,00000104,?,00000000,?,?,SetupValues,00000000,006770A3,000000FF,?,?,?,0000000A,?,00000001), ref: 0041E563
                                                                                                                              • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 0041E57C
                                                                                                                              • __splitpath_s.LIBCMT ref: 0041E5A5
                                                                                                                              • lstrcpy.KERNEL32(?,?), ref: 0041E5C1
                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 0041E5D7
                                                                                                                              • lstrcat.KERNEL32(?,lua5.1.dll), ref: 0041E5E5
                                                                                                                              • lstrcpy.KERNEL32(?,/c for /L %i in (1,1,30) do IF EXIST "), ref: 0041E5F3
                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 0041E603
                                                                                                                              • lstrcat.KERNEL32(?,0069A128), ref: 0041E612
                                                                                                                              • lstrcat.KERNEL32(?, del ), ref: 0041E620
                                                                                                                              • lstrcat.KERNEL32(?,0069A128), ref: 0041E62A
                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 0041E63A
                                                                                                                              • lstrcat.KERNEL32(?,0069A128), ref: 0041E644
                                                                                                                              • lstrcat.KERNEL32(?, | del ), ref: 0041E652
                                                                                                                              • lstrcat.KERNEL32(?,0069A128), ref: 0041E65C
                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 0041E66C
                                                                                                                              • lstrcat.KERNEL32(?,0069A128), ref: 0041E676
                                                                                                                              • lstrcpy.KERNEL32(?,/c del ), ref: 0041E684
                                                                                                                              • lstrcat.KERNEL32(?,0069A128), ref: 0041E692
                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 0041E6A2
                                                                                                                              • lstrcat.KERNEL32(?,0069A128), ref: 0041E6AC
                                                                                                                              • lstrcpy.KERNEL32(?, | del ), ref: 0041E6BA
                                                                                                                              • lstrcat.KERNEL32(?,0069A128), ref: 0041E6C8
                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 0041E6D8
                                                                                                                              • lstrcat.KERNEL32(?,0069A128), ref: 0041E6E2
                                                                                                                              • __splitpath_s.LIBCMT ref: 0041E701
                                                                                                                              • lstrcpy.KERNEL32(?,?), ref: 0041E717
                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 0041E72B
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0041E239: __mbsinc.LIBCMT ref: 0041E25A
                                                                                                                              • lstrcpy.KERNEL32(?,-00000010), ref: 0041E856
                                                                                                                              • GetFullPathNameA.KERNEL32(?,00000104,?,00000000), ref: 0041E896
                                                                                                                              • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 0041E8A9
                                                                                                                              • lstrcat.KERNEL32(?, | rmdir ), ref: 0041E8C3
                                                                                                                              • lstrcat.KERNEL32(?,0069A128), ref: 0041E8CD
                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 0041E8DD
                                                                                                                              • lstrcat.KERNEL32(?,0069A128), ref: 0041E8E7
                                                                                                                              • lstrcat.KERNEL32(?, | rmdir ), ref: 0041E918
                                                                                                                              • lstrcat.KERNEL32(?,0069A128), ref: 0041E922
                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 0041E931
                                                                                                                              • lstrcat.KERNEL32(?,0069A128), ref: 0041E93B
                                                                                                                              • lstrcat.KERNEL32(?, > NUL), ref: 0041E949
                                                                                                                              • lstrcat.KERNEL32(?, > NUL), ref: 0041E957
                                                                                                                              • GetEnvironmentVariableA.KERNEL32(ComSpec,?,00000104,?,0000005C,0000000A), ref: 0041E9AD
                                                                                                                              • ShellExecuteA.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 0041E9E5
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lstrcat$lstrcpy$Name$Path$FullShort__splitpath_s$EnvironmentExecuteFileH_prolog3ModuleShellVariable__mbsinc
                                                                                                                              • String ID: > NUL$ del $ | del $ | rmdir $/c del $/c for /L %i in (1,1,30) do IF EXIST "$ComSpec$SetupValues$lua5.1.dll
                                                                                                                              • API String ID: 2024491441-2339238920
                                                                                                                              • Opcode ID: a5dff28a414583209a07ac022cf3d5ea87a631bc0d4c0d44ef12197144a20c71
                                                                                                                              • Instruction ID: 892ae718a925ea176d4b291da2811c508c19a23f12ed92721aa22e290b47de64
                                                                                                                              • Opcode Fuzzy Hash: a5dff28a414583209a07ac022cf3d5ea87a631bc0d4c0d44ef12197144a20c71
                                                                                                                              • Instruction Fuzzy Hash: 2EE1FCB290112CAFDB20DBA5DC85EDABBBCAF48314F0005E6E549E3141DA74AAD4CF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004625CC Relevance: 93.1, APIs: 45, Strings: 8, Instructions: 384COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004625D3
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C22E
                                                                                                                              • lua_getfield.LUA5.1(00000000,FFFFD8EE,StatusDlg), ref: 004626C8
                                                                                                                              • lua_pushstring.LUA5.1(00000000,SetTitle,00000000,FFFFD8EE,StatusDlg), ref: 004626D3
                                                                                                                              • lua_gettable.LUA5.1(00000000,000000FE,00000000,SetTitle,00000000,FFFFD8EE,StatusDlg), ref: 004626DB
                                                                                                                              • lua_remove.LUA5.1(00000000,000000FE,00000000,000000FE,00000000,SetTitle,00000000,FFFFD8EE,StatusDlg), ref: 004626E3
                                                                                                                              • lua_type.LUA5.1(00000000,000000FF,00000000,000000FE,00000000,000000FE,00000000,SetTitle,00000000,FFFFD8EE,StatusDlg), ref: 004626EB
                                                                                                                              • lua_pushstring.LUA5.1(00000000,?), ref: 004626FC
                                                                                                                              • lua_pcall.LUA5.1(00000000,00000001,00000000,00000000,00000000,?), ref: 00462708
                                                                                                                              • lua_remove.LUA5.1(00000000,000000FF), ref: 00462717
                                                                                                                              • lua_getfield.LUA5.1(00000000,FFFFD8EE,StatusDlg), ref: 00462721
                                                                                                                              • lua_pushstring.LUA5.1(00000000,SetMessage,00000000,FFFFD8EE,StatusDlg), ref: 0046272C
                                                                                                                              • lua_gettable.LUA5.1(00000000,000000FE,00000000,SetMessage,00000000,FFFFD8EE,StatusDlg), ref: 00462734
                                                                                                                              • lua_remove.LUA5.1(00000000,000000FE,00000000,000000FE,00000000,SetMessage,00000000,FFFFD8EE,StatusDlg), ref: 0046273C
                                                                                                                              • lua_type.LUA5.1(00000000,000000FF,00000000,000000FE,00000000,000000FE,00000000,SetMessage,00000000,FFFFD8EE,StatusDlg), ref: 00462744
                                                                                                                              • lua_pushstring.LUA5.1(00000000,00000000,?,?,00000037), ref: 0046277E
                                                                                                                              • lua_pcall.LUA5.1(00000000,00000001,00000000,00000000,?,?,00000037), ref: 00462797
                                                                                                                              • lua_remove.LUA5.1(00000000,000000FF), ref: 004627A6
                                                                                                                              • lua_getfield.LUA5.1(00000000,FFFFD8EE,StatusDlg), ref: 004627B0
                                                                                                                              • lua_pushstring.LUA5.1(00000000,SetMeterPos,00000000,FFFFD8EE,StatusDlg), ref: 004627BB
                                                                                                                              • lua_gettable.LUA5.1(00000000,000000FE,00000000,SetMeterPos,00000000,FFFFD8EE,StatusDlg), ref: 004627C3
                                                                                                                              • lua_remove.LUA5.1(00000000,000000FE,00000000,000000FE,00000000,SetMeterPos,00000000,FFFFD8EE,StatusDlg), ref: 004627CB
                                                                                                                              • lua_type.LUA5.1(00000000,000000FF,00000000,000000FE,00000000,000000FE,00000000,SetMeterPos,00000000,FFFFD8EE,StatusDlg), ref: 004627D3
                                                                                                                              • lua_pushnumber.LUA5.1(00000000), ref: 004627F6
                                                                                                                              • lua_pcall.LUA5.1(00000000,00000001,00000000,00000000,00000000), ref: 00462802
                                                                                                                              • lua_remove.LUA5.1(00000000,000000FF), ref: 00462811
                                                                                                                              • lua_getfield.LUA5.1(00000000,FFFFD8EE,StatusDlg), ref: 0046281B
                                                                                                                              • lua_pushstring.LUA5.1(00000000,IsCancelled,00000000,FFFFD8EE,StatusDlg), ref: 00462826
                                                                                                                              • lua_gettable.LUA5.1(00000000,000000FE,00000000,IsCancelled,00000000,FFFFD8EE,StatusDlg), ref: 0046282E
                                                                                                                              • lua_remove.LUA5.1(00000000,000000FE,00000000,000000FE,00000000,IsCancelled,00000000,FFFFD8EE,StatusDlg), ref: 00462836
                                                                                                                              • lua_type.LUA5.1(00000000,FFFFD8EE,00000000,000000FE,00000000,000000FE,00000000,IsCancelled,00000000,FFFFD8EE,StatusDlg), ref: 00462840
                                                                                                                              • lua_pcall.LUA5.1(00000000,00000000,00000001,00000000), ref: 00462854
                                                                                                                              • lua_remove.LUA5.1(00000000,FFFFD8EE), ref: 00462862
                                                                                                                              • lua_type.LUA5.1(00000000,FFFFD8EE), ref: 0046286C
                                                                                                                              • lua_type.LUA5.1(00000000,00000000), ref: 004629BD
                                                                                                                              • lua_settop.LUA5.1(00000000,000000FE), ref: 00462898
                                                                                                                                • Part of subcall function 00459912: __EH_prolog3.LIBCMT ref: 00459919
                                                                                                                                • Part of subcall function 00459912: lua_type.LUA5.1(?,?,00000000,00000000,0000000C,00407B22,?,00000002), ref: 00459949
                                                                                                                              • lua_pushvalue.LUA5.1(00000000,000000FF), ref: 004628A9
                                                                                                                              • lua_type.LUA5.1(00000000,000000FF,00000000,000000FF), ref: 004628B1
                                                                                                                              • lua_pushstring.LUA5.1(00000000,?), ref: 004628C6
                                                                                                                              • lua_pushnumber.LUA5.1(00000000,00000000,?), ref: 004628FB
                                                                                                                              • lua_pushnumber.LUA5.1(00000000,?), ref: 0046292A
                                                                                                                              • lua_pcall.LUA5.1(00000000,00000003,00000001,00000000,00000000,?), ref: 00462935
                                                                                                                              • lua_tolstring.LUA5.1(00000000,000000FF,00000000), ref: 00462945
                                                                                                                              • lua_settop.LUA5.1(00000000,000000FE), ref: 0046295D
                                                                                                                              • lua_remove.LUA5.1(00000000,00000000,00000000,00000000), ref: 004629D4
                                                                                                                              • lua_remove.LUA5.1(00000000,000000FF), ref: 004629E1
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_remove.$lua_type.$lua_pushstring.$lua_pcall.$H_prolog3lua_getfield.lua_gettable.$lua_pushnumber.$lua_settop.$lua_pushvalue.lua_tolstring.
                                                                                                                              • String ID: Deleting$IsCancelled$MSG_DELETING$SetMessage$SetMeterPos$SetTitle$StatusDlg$__NOREPORT__
                                                                                                                              • API String ID: 2464475924-4049856608
                                                                                                                              • Opcode ID: 3e110dd7dcd37460bdc560726d9f197cc62998c786d5d70acb98167282fddbe1
                                                                                                                              • Instruction ID: 4799a319ce2d263d2ec391f832f653a48ed384e294b1e496264e05adbbed37d3
                                                                                                                              • Opcode Fuzzy Hash: 3e110dd7dcd37460bdc560726d9f197cc62998c786d5d70acb98167282fddbe1
                                                                                                                              • Instruction Fuzzy Hash: 72C1C6719086167BDB14AF66CD42FDF36A4AF46335F10061EF430A62D2DF7CA60186AE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004643BB Relevance: 77.5, APIs: 36, Strings: 8, Instructions: 467COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004643C5
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_type.LUA5.1(?,00000002), ref: 0046440C
                                                                                                                              • lua_type.LUA5.1(?,00000002), ref: 0046441B
                                                                                                                              • lua_type.LUA5.1(?,00000003), ref: 00464449
                                                                                                                              • lua_type.LUA5.1(?,00000003), ref: 00464458
                                                                                                                              • lua_type.LUA5.1(?,00000004), ref: 0046447C
                                                                                                                              • lua_type.LUA5.1(?,00000004), ref: 0046448D
                                                                                                                              • lua_type.LUA5.1(?,00000005), ref: 004644B1
                                                                                                                              • lua_type.LUA5.1(?,00000005), ref: 004644BF
                                                                                                                              • lua_type.LUA5.1(?,00000006), ref: 004644E7
                                                                                                                              • lua_type.LUA5.1(?,00000006), ref: 004644F5
                                                                                                                              • lua_type.LUA5.1(?,00000007), ref: 00464523
                                                                                                                              • lua_type.LUA5.1(?,00000007), ref: 00464531
                                                                                                                              • lua_type.LUA5.1(?,00000008), ref: 0046455F
                                                                                                                              • lua_type.LUA5.1(?,00000008), ref: 0046456D
                                                                                                                              • lua_type.LUA5.1(?,00000009), ref: 00464592
                                                                                                                              • lua_type.LUA5.1(?,00000009), ref: 004645A0
                                                                                                                              • lua_type.LUA5.1(?,0000000A), ref: 004645D3
                                                                                                                              • lua_type.LUA5.1(?,0000000A), ref: 004645E5
                                                                                                                              • lua_type.LUA5.1(?,0000000A), ref: 004645F6
                                                                                                                              • lua_next.LUA5.1(?,0000000A,?), ref: 0046460E
                                                                                                                              • lua_tolstring.LUA5.1(?,000000FE,00000000), ref: 00464620
                                                                                                                              • lua_pushnil.LUA5.1(?), ref: 00464607
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              • lua_toboolean.LUA5.1(?,000000FF,00000000), ref: 00464634
                                                                                                                              • lua_settop.LUA5.1(?,000000FE,UnicodeEnvironment,Suspended,SeparateWOWVDM,NewProcessGroup,NewConsole,DefaultErrorMode,00000000), ref: 004646D2
                                                                                                                              • lua_next.LUA5.1(?,0000000A,?,000000FE,UnicodeEnvironment,Suspended,SeparateWOWVDM,NewProcessGroup,NewConsole,DefaultErrorMode,00000000), ref: 004646D9
                                                                                                                              • _memset.LIBCMT ref: 00464705
                                                                                                                              • _memset.LIBCMT ref: 00464712
                                                                                                                                • Part of subcall function 00451FEA: __EH_prolog3.LIBCMT ref: 00451FF1
                                                                                                                              • lua_type.LUA5.1(?,0000000B), ref: 0046480B
                                                                                                                              • lua_pushstring.LUA5.1(?,ErrorCode), ref: 0046481D
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,ErrorCode), ref: 00464829
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,ErrorCode), ref: 00464831
                                                                                                                              • lua_pushstring.LUA5.1(?,ErrorMsg,?,000000FD,?,?,ErrorCode), ref: 0046483C
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,ErrorMsg,?,000000FD,?,?,ErrorCode), ref: 00464845
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,ErrorMsg,?,000000FD,?,?,ErrorCode), ref: 0046484D
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,?), ref: 00464872
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_type.$H_prolog3$lua_pushstring.$_memsetlua_next.lua_pushnumber.lua_remove.lua_settable.lua_tolstring.$_strlenlua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushnil.lua_settop.lua_toboolean.
                                                                                                                              • String ID: DefaultErrorMode$ErrorCode$ErrorMsg$NewConsole$NewProcessGroup$SeparateWOWVDM$Suspended$UnicodeEnvironment
                                                                                                                              • API String ID: 431716515-1771895760
                                                                                                                              • Opcode ID: f5c9c18e4bed22d7121c33a99638c6f92f85098747fbe1709fa00c48dce7dab2
                                                                                                                              • Instruction ID: 8d1e95e7449e80a959716473ac4a97f1fdcf4c0c94b79b99ad9d69d9bc814703
                                                                                                                              • Opcode Fuzzy Hash: f5c9c18e4bed22d7121c33a99638c6f92f85098747fbe1709fa00c48dce7dab2
                                                                                                                              • Instruction Fuzzy Hash: 1AE1C531904219AADB14EBA6DC52FEE7378AF12329F20011FF511B11D2EF7C6B45866E
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0047E518 Relevance: 72.2, APIs: 35, Strings: 6, Instructions: 458COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0047E522
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 004599E0: __EH_prolog3.LIBCMT ref: 004599E7
                                                                                                                                • Part of subcall function 004599E0: lua_type.LUA5.1(?,?,00000000,00000000,0000000C,004085AC,?,?,00000024), ref: 00459A16
                                                                                                                              • lua_pushnil.LUA5.1(?,?,00000002), ref: 0047E571
                                                                                                                              • lua_next.LUA5.1(?,00000002,?,?,00000002), ref: 0047E579
                                                                                                                              • lua_tolstring.LUA5.1(?,000000FE,00000000), ref: 0047E58D
                                                                                                                              • _strlen.LIBCMT ref: 0047E59F
                                                                                                                              • lua_tolstring.LUA5.1(?,000000FF,00000000,006A333C,00000000,00000000), ref: 0047E5B4
                                                                                                                              • _strlen.LIBCMT ref: 0047E5C6
                                                                                                                              • lua_settop.LUA5.1(?,000000FE,006A333C,00000000,00000000,006A333C,00000000,00000000), ref: 0047E5D9
                                                                                                                              • lua_next.LUA5.1(?,00000002,?,000000FE,006A333C,00000000,00000000,006A333C,00000000,00000000), ref: 0047E5E1
                                                                                                                              • lua_type.LUA5.1(?), ref: 0047E600
                                                                                                                              • lua_type.LUA5.1(?,00000003), ref: 0047E60F
                                                                                                                              • lua_type.LUA5.1(?,00000004), ref: 0047E636
                                                                                                                              • lua_type.LUA5.1(?,00000004), ref: 0047E645
                                                                                                                              • lua_type.LUA5.1(?,00000005), ref: 0047E66C
                                                                                                                              • lua_type.LUA5.1(?,00000005), ref: 0047E67B
                                                                                                                              • lua_type.LUA5.1(?,00000006,00000000), ref: 0047E6C9
                                                                                                                              • lua_type.LUA5.1(?,00000006,00000000), ref: 0047E6DB
                                                                                                                              • lua_pushnil.LUA5.1(?,?,00000006,00000000), ref: 0047E6F2
                                                                                                                              • lua_next.LUA5.1(?,00000006,?,?,00000006,00000000), ref: 0047E6F9
                                                                                                                              • lua_tolstring.LUA5.1(?,000000FF,00000000,UserName,00000000,?,?,?,?,?,?,?,00000000), ref: 0047E731
                                                                                                                              • lua_tolstring.LUA5.1(?,000000FF,00000000,Password,UserName,00000000,?,?,?,?,?,?,?,00000000), ref: 0047E750
                                                                                                                              • lua_settop.LUA5.1(?,000000FE,Password,UserName,00000000,?,?,?,?,?,?,?,00000000), ref: 0047E764
                                                                                                                              • lua_next.LUA5.1(?,00000006,?,000000FE,Password,UserName,00000000,?,?,?,?,?,?,?,00000000), ref: 0047E76C
                                                                                                                              • lua_tolstring.LUA5.1(?,000000FE,00000000,?,?,?,?,00000000), ref: 0047E70B
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              • lua_type.LUA5.1(?,00000007,00000000), ref: 0047E7A6
                                                                                                                              • lua_type.LUA5.1(?,00000007,00000000), ref: 0047E7B9
                                                                                                                              • lua_pushnil.LUA5.1(?,?,00000007,00000000), ref: 0047E7D1
                                                                                                                              • lua_next.LUA5.1(?,00000007,?,?,00000007,00000000), ref: 0047E7D9
                                                                                                                              • lua_tolstring.LUA5.1(?,000000FE,00000000,?,?,?,?,00000000), ref: 0047E7EA
                                                                                                                              • lua_tolstring.LUA5.1(?,000000FF,00000000,PUserName,00000000,?,?,?,?,?,?,?,00000000), ref: 0047E810
                                                                                                                              • lua_tolstring.LUA5.1(?,000000FF,00000000,PPassword,PUserName,00000000,?,?,?,?,?,?,?,00000000), ref: 0047E82F
                                                                                                                              • lua_tolstring.LUA5.1(?,000000FF,00000000,PServerAddress,PPassword,PUserName,00000000,?,?,?,?,?,?,?,00000000), ref: 0047E84E
                                                                                                                              • lua_settop.LUA5.1(?,000000FE,PServerAddress,PPassword,PUserName,00000000,?,?,?,?,?,?,?,00000000), ref: 0047E862
                                                                                                                              • lua_next.LUA5.1(?,00000007,?,000000FE,PServerAddress,PPassword,PUserName,00000000,?,?,?,?,?,?,?,00000000), ref: 0047E86A
                                                                                                                              • lua_pushstring.LUA5.1(?,006985B8,?,?,00000000), ref: 0047E9CA
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_type.$lua_tolstring.$lua_next.$H_prolog3$_strlenlua_pushnil.lua_settop.$lua_pushstring.lua_remove.$lua_getfield.lua_gettable.lua_gettop.lua_pcall.
                                                                                                                              • String ID: P$PPassword$PServerAddress$PUserName$Password$UserName
                                                                                                                              • API String ID: 994422194-2805187325
                                                                                                                              • Opcode ID: e2981575ad5b46be1dcf52c5ef4f05fd66f21ffeed17adaa05e1db2336345d6e
                                                                                                                              • Instruction ID: 822a3404e9fabf112b3aecc9270ed235ea44920ac481a42295c77f6a576fccfb
                                                                                                                              • Opcode Fuzzy Hash: e2981575ad5b46be1dcf52c5ef4f05fd66f21ffeed17adaa05e1db2336345d6e
                                                                                                                              • Instruction Fuzzy Hash: 53E1E662804114A6EB14BB67CC02FEE76299F56328F20425FF529761D3EF3C6B05866E
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0047A125 Relevance: 54.3, APIs: 4, Strings: 27, Instructions: 86COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • luaL_openlib.LUA5.1(0040CD00,System,?,00000000), ref: 0047A2EF
                                                                                                                              • lua_pushstring.LUA5.1(0040CD00,UserSIDError,0040CD00,System,?,00000000), ref: 0047A2FA
                                                                                                                              • lua_pushnumber.LUA5.1(0040CD00,?,?,00000000), ref: 0047A308
                                                                                                                              • lua_settable.LUA5.1(0040CD00,000000FD,0040CD00,?,?,00000000), ref: 0047A310
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: L_openlib.lua_pushnumber.lua_pushstring.lua_settable.
                                                                                                                              • String ID: EnumerateProcesses$GetDate$GetDefaultLangID$GetDisplayInfo$GetLANInfo$GetMemoryInfo$GetOSName$GetOSProductInfo$GetOSVersionInfo$GetTime$GetUserInfo$GetUserSID$Is64BitOS$IsSystemRestoreAvailable$Reboot$RegisterActiveX$RegisterFont$RegisterTypeLib$RemoveRestorePoint$SetRestorePoint$System$TerminateProcess$UnregisterActiveX$UnregisterFont$UserSIDError$Wow64DisableFsRedirection$Wow64RevertFsRedirection
                                                                                                                              • API String ID: 1781497972-4283409349
                                                                                                                              • Opcode ID: dfb6fbc200d954e4a3843397f710722638d8f37f9a8418976efd825af63dcf7b
                                                                                                                              • Instruction ID: 651693c304be1120127a05c33b110fa806bda5e9d532c24d104d0639e0970fca
                                                                                                                              • Opcode Fuzzy Hash: dfb6fbc200d954e4a3843397f710722638d8f37f9a8418976efd825af63dcf7b
                                                                                                                              • Instruction Fuzzy Hash: 4341B2B0D05268DADB20EF95C9496DDBFB6FF02318F54C58AE0597B201C7B80E498F59
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004604C7 Relevance: 52.7, APIs: 25, Strings: 5, Instructions: 173COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 004599E0: __EH_prolog3.LIBCMT ref: 004599E7
                                                                                                                                • Part of subcall function 004599E0: lua_type.LUA5.1(?,?,00000000,00000000,0000000C,004085AC,?,?,00000024), ref: 00459A16
                                                                                                                              • lua_pushstring.LUA5.1(?,Text,?,?), ref: 00460546
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,Text,?,?), ref: 0046054E
                                                                                                                              • lua_isstring.LUA5.1(?,?,?,000000FE,?,Text,?,?), ref: 00460558
                                                                                                                              • lua_tolstring.LUA5.1(?,?,00000000,?,?,?,?,?,?), ref: 00460568
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              • lua_settop.LUA5.1(?,000000FE,?,?,?,?,?,?), ref: 0046057C
                                                                                                                              • lua_pushstring.LUA5.1(?,Description,?,000000FE,?,?,?,?,?,?), ref: 00460587
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,Description,?,000000FE,?,?,?,?,?,?), ref: 0046058F
                                                                                                                              • lua_isstring.LUA5.1(?,?,?,000000FE,?,Description,?,000000FE,?,?,?,?,?,?), ref: 00460596
                                                                                                                              • lua_tolstring.LUA5.1(?,?,00000000), ref: 004605A6
                                                                                                                              • lua_settop.LUA5.1(?,000000FE,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004605BA
                                                                                                                              • lua_pushstring.LUA5.1(?,Enabled,?,000000FE), ref: 004605C5
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,Enabled,?,000000FE), ref: 004605CD
                                                                                                                              • lua_type.LUA5.1(?,?,?,000000FE,?,Enabled,?,000000FE), ref: 004605D4
                                                                                                                              • lua_toboolean.LUA5.1(?), ref: 004605E3
                                                                                                                              • lua_settop.LUA5.1(?,000000FE), ref: 004605F0
                                                                                                                              • lua_pushstring.LUA5.1(?,State,?,000000FE), ref: 004605FB
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,State,?,000000FE), ref: 00460603
                                                                                                                              • lua_isnumber.LUA5.1(?,?,?,000000FE,?,State,?,000000FE), ref: 0046060A
                                                                                                                              • lua_tonumber.LUA5.1(?), ref: 00460618
                                                                                                                              • lua_settop.LUA5.1(?,000000FE), ref: 0046062A
                                                                                                                              • lua_pushstring.LUA5.1(?,Expanded,?,000000FE), ref: 00460635
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,Expanded,?,000000FE), ref: 0046063D
                                                                                                                              • lua_type.LUA5.1(?,?,?,000000FE,?,Expanded,?,000000FE), ref: 00460644
                                                                                                                              • lua_toboolean.LUA5.1(?), ref: 00460653
                                                                                                                              • lua_settop.LUA5.1(?,000000FE), ref: 00460660
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_gettable.lua_pushstring.$lua_settop.$lua_type.$H_prolog3lua_isstring.lua_remove.lua_toboolean.lua_tolstring.$_strlenlua_getfield.lua_gettop.lua_isnumber.lua_pcall.lua_tonumber.
                                                                                                                              • String ID: Description$Enabled$Expanded$State$Text
                                                                                                                              • API String ID: 1046252865-1133598597
                                                                                                                              • Opcode ID: 29ab189ab1762ab8768c420648508e1f9546d63b9e80b691d8aa5b9bf12c96f2
                                                                                                                              • Instruction ID: f581e461dcf535aac6c1a7f2c1fa94f4646b3e93058bcbd366264eba877e7385
                                                                                                                              • Opcode Fuzzy Hash: 29ab189ab1762ab8768c420648508e1f9546d63b9e80b691d8aa5b9bf12c96f2
                                                                                                                              • Instruction Fuzzy Hash: 0941806190992579DA167B678D43EDF265D9F4232AF20021BF820741C7EF2CAF1245BE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004600D6 Relevance: 49.2, APIs: 24, Strings: 4, Instructions: 178COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004600DD
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 004599E0: __EH_prolog3.LIBCMT ref: 004599E7
                                                                                                                                • Part of subcall function 004599E0: lua_type.LUA5.1(?,?,00000000,00000000,0000000C,004085AC,?,?,00000024), ref: 00459A16
                                                                                                                              • lua_pushstring.LUA5.1(?,Text), ref: 00460137
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,Text), ref: 0046013F
                                                                                                                              • lua_isstring.LUA5.1(?,00000000,?,000000FE,?,Text), ref: 00460149
                                                                                                                              • lua_tolstring.LUA5.1(?,00000000,00000000), ref: 00460159
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 004A8898: __EH_prolog3.LIBCMT ref: 004A889F
                                                                                                                                • Part of subcall function 004A8898: IsWindow.USER32(?), ref: 004A88B8
                                                                                                                                • Part of subcall function 004A8898: SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 004A88D3
                                                                                                                              • lua_settop.LUA5.1(?,000000FE), ref: 0046018A
                                                                                                                              • lua_pushstring.LUA5.1(?,Visible,?,000000FE), ref: 00460195
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,Visible,?,000000FE), ref: 0046019D
                                                                                                                              • lua_type.LUA5.1(?,00000000,?,000000FE,?,Visible,?,000000FE), ref: 004601A4
                                                                                                                              • lua_toboolean.LUA5.1(?,00000000), ref: 004601B3
                                                                                                                              • lua_settop.LUA5.1(?,000000FE), ref: 004601C5
                                                                                                                              • lua_pushstring.LUA5.1(?,Enabled,?,000000FE), ref: 004601D0
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,Enabled,?,000000FE), ref: 004601D8
                                                                                                                              • lua_type.LUA5.1(?,00000000,?,000000FE,?,Enabled,?,000000FE), ref: 004601DF
                                                                                                                              • lua_toboolean.LUA5.1(?,00000000), ref: 004601EE
                                                                                                                              • lua_settop.LUA5.1(?,000000FE), ref: 00460200
                                                                                                                              • lua_pushstring.LUA5.1(?,Checked,?,000000FE), ref: 0046020B
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,Checked,?,000000FE), ref: 00460213
                                                                                                                              • lua_type.LUA5.1(?,00000000,?,000000FE,?,Checked,?,000000FE), ref: 0046021A
                                                                                                                              • lua_toboolean.LUA5.1(?,00000000), ref: 00460229
                                                                                                                              • IsWindow.USER32(?), ref: 00460258
                                                                                                                              • lua_settop.LUA5.1(?,000000FE), ref: 0046026B
                                                                                                                              • IsWindow.USER32(?), ref: 00460289
                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004602B6
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3lua_gettable.lua_pushstring.lua_type.$lua_settop.$Windowlua_toboolean.$lua_remove.$InvalidateMessageRectSendlua_getfield.lua_gettop.lua_isstring.lua_pcall.lua_tolstring.
                                                                                                                              • String ID: Checked$Enabled$Text$Visible
                                                                                                                              • API String ID: 1695491083-2599746497
                                                                                                                              • Opcode ID: d03642a93b93ce82652bb7554319685a6f4e59417fd5bb6a041f63623a7ddd1e
                                                                                                                              • Instruction ID: f284be31e51a2e89de2d2d3c9ec864c5cd381a8585c58060ac881f28b69987a7
                                                                                                                              • Opcode Fuzzy Hash: d03642a93b93ce82652bb7554319685a6f4e59417fd5bb6a041f63623a7ddd1e
                                                                                                                              • Instruction Fuzzy Hash: 1C51B5316096117BDB157F678C46FAF36699F4232AF10025EF410662D3EF6CAE0186AE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0046037E Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 120COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000,00000000), ref: 004603F6
                                                                                                                              • lua_pushstring.LUA5.1(?,Text,?,00000000,00000000,00000000), ref: 00460401
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,Text,?,00000000,00000000,00000000), ref: 0046040A
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,Text,?,00000000,00000000,00000000), ref: 00460412
                                                                                                                              • lua_pushstring.LUA5.1(?,Description,?,000000FD,?,?,?,Text,?,00000000,00000000,00000000), ref: 0046041D
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,Description,?,000000FD,?,?,?,Text,?,00000000,00000000,00000000), ref: 00460426
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,Description,?,000000FD,?,?,?,Text,?,00000000,00000000,00000000), ref: 0046042E
                                                                                                                              • lua_pushstring.LUA5.1(?,Enabled,?,000000FD,?,?,?,Description,?,000000FD,?,?,?,Text,?,00000000), ref: 00460439
                                                                                                                              • lua_pushboolean.LUA5.1(?,00000000), ref: 00460443
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,00000000), ref: 0046044B
                                                                                                                              • lua_pushstring.LUA5.1(?,State,?,000000FD,?,00000000), ref: 00460456
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,000000FD,?,00000000), ref: 00460472
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,000000FD,?,00000000), ref: 0046047A
                                                                                                                              • lua_pushstring.LUA5.1(?,Expanded,?,000000FD,?,?,000000FD,?,00000000), ref: 00460485
                                                                                                                              • lua_pushboolean.LUA5.1(?,?,?,Expanded,?,000000FD,?,?,000000FD,?,00000000), ref: 0046048E
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,Expanded,?,000000FD,?,?,000000FD,?,00000000), ref: 00460496
                                                                                                                              • lua_pushnil.LUA5.1(?), ref: 004604B9
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_pushstring.$lua_settable.$lua_pushboolean.lua_remove.$H_prolog3lua_createtable.lua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushnil.lua_pushnumber.lua_type.
                                                                                                                              • String ID: Description$Enabled$Expanded$State$Text
                                                                                                                              • API String ID: 1313748715-1133598597
                                                                                                                              • Opcode ID: 6944d100bd6ebaa7cab3306f93a4be329ff3d9f1f5485da60846aeacc6eb75e1
                                                                                                                              • Instruction ID: c93647555eefa6c71e5f01bfa4a0d76709558db8d1de06f9f3bec6df5f5e263e
                                                                                                                              • Opcode Fuzzy Hash: 6944d100bd6ebaa7cab3306f93a4be329ff3d9f1f5485da60846aeacc6eb75e1
                                                                                                                              • Instruction Fuzzy Hash: 54318221509A21BAE6127F678C07FDF3158AF4632AF10421AF510A50C7AF6DBB1246BE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0045E554 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 191COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0045E55B
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 004599E0: __EH_prolog3.LIBCMT ref: 004599E7
                                                                                                                                • Part of subcall function 004599E0: lua_type.LUA5.1(?,?,00000000,00000000,0000000C,004085AC,?,?,00000024), ref: 00459A16
                                                                                                                              • lua_pushstring.LUA5.1(?,Text), ref: 0045E5B7
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,Text), ref: 0045E5BF
                                                                                                                              • lua_isstring.LUA5.1(?,?,?,000000FE,?,Text), ref: 0045E5C9
                                                                                                                              • lua_tolstring.LUA5.1(?,?,00000000), ref: 0045E5D9
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_settop.LUA5.1(?,000000FE), ref: 0045E60A
                                                                                                                              • lua_pushstring.LUA5.1(?,Visible,?,000000FE), ref: 0045E615
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,Visible,?,000000FE), ref: 0045E61D
                                                                                                                              • lua_type.LUA5.1(?,?,?,000000FE,?,Visible,?,000000FE), ref: 0045E624
                                                                                                                              • lua_toboolean.LUA5.1(?), ref: 0045E638
                                                                                                                              • lua_settop.LUA5.1(?,000000FE), ref: 0045E64B
                                                                                                                              • lua_pushstring.LUA5.1(?,Enabled,?,000000FE), ref: 0045E656
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,Enabled,?,000000FE), ref: 0045E65E
                                                                                                                              • lua_type.LUA5.1(?,?,?,000000FE,?,Enabled,?,000000FE), ref: 0045E665
                                                                                                                              • lua_toboolean.LUA5.1(?), ref: 0045E679
                                                                                                                              • lua_settop.LUA5.1(?,000000FE), ref: 0045E68C
                                                                                                                              • IsWindow.USER32(?), ref: 0045E74E
                                                                                                                              • InvalidateRect.USER32(?,-00000018,00000001), ref: 0045E76C
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3lua_gettable.lua_pushstring.lua_type.$lua_settop.$lua_remove.lua_toboolean.$InvalidateRectWindowlua_getfield.lua_gettop.lua_isstring.lua_pcall.lua_tolstring.
                                                                                                                              • String ID: Enabled$Text$Visible
                                                                                                                              • API String ID: 2468856768-1258828939
                                                                                                                              • Opcode ID: dcbd6a7b5041cc1e82de44cc7e3ebfa37e03bf53a1fbb3d02b762165ecedc583
                                                                                                                              • Instruction ID: 2a7065115142950cc221c4680cad670c768e77f056a6e18e5564fd83030f3d81
                                                                                                                              • Opcode Fuzzy Hash: dcbd6a7b5041cc1e82de44cc7e3ebfa37e03bf53a1fbb3d02b762165ecedc583
                                                                                                                              • Instruction Fuzzy Hash: 3A61F471904100AFCB14EF6ACC85EBF77B9AF45325F10416EF414AB293DB38AE058B69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00476309 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 162COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00476310
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_type.LUA5.1(?,00000003), ref: 0047635D
                                                                                                                              • lua_type.LUA5.1(?,00000004), ref: 0047637E
                                                                                                                              • lua_getfield.LUA5.1(?,FFFFD8EE,string), ref: 004763B7
                                                                                                                              • lua_pushstring.LUA5.1(?,find,?,FFFFD8EE,string), ref: 004763C2
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,find,?,FFFFD8EE,string), ref: 004763CA
                                                                                                                              • lua_remove.LUA5.1(?,000000FE,?,000000FE,?,find,?,FFFFD8EE,string), ref: 004763D2
                                                                                                                              • lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,find,?,FFFFD8EE,string), ref: 004763DA
                                                                                                                              • lua_pushstring.LUA5.1(?,?), ref: 004763EF
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,?), ref: 004763F8
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,?), ref: 00476407
                                                                                                                              • lua_pushboolean.LUA5.1(?,00000001,?,?,?), ref: 0047640E
                                                                                                                              • lua_pcall.LUA5.1(?,00000004,00000002,00000000,?,00000001,?,?,?), ref: 0047641A
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,00000B54), ref: 00476497
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3lua_pushstring.lua_type.$lua_remove.$lua_getfield.lua_gettable.lua_pcall.lua_pushnumber.$lua_gettop.lua_pushboolean.lua_tolstring.
                                                                                                                              • String ID: find$string
                                                                                                                              • API String ID: 1562589319-714750175
                                                                                                                              • Opcode ID: 27a139f434685931d386e87cf4d2f280be8d3f85a09b071000b6106c2035d280
                                                                                                                              • Instruction ID: c7b549c2b511f1680fc9e8ff777c6d7aa84b2b7013c0c8b28b4d1b96d469939c
                                                                                                                              • Opcode Fuzzy Hash: 27a139f434685931d386e87cf4d2f280be8d3f85a09b071000b6106c2035d280
                                                                                                                              • Instruction Fuzzy Hash: 35418F21809926B5DA157A6A8C03EEF36259F5233AF60471FF025751D7EF2C6B0241AE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0046C57D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 186libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0046C584
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • GetProcAddress.KERNEL32(00000000,MsiEnumPatchesA), ref: 0046C5CC
                                                                                                                                • Part of subcall function 00405435: _strnlen.LIBCMT ref: 0040544E
                                                                                                                              • _malloc.LIBCMT ref: 0046C661
                                                                                                                                • Part of subcall function 005B4B83: __FF_MSGBANNER.LIBCMT ref: 005B4B9C
                                                                                                                                • Part of subcall function 005B4B83: __NMSG_WRITE.LIBCMT ref: 005B4BA3
                                                                                                                                • Part of subcall function 005B4B83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 005B4BC8
                                                                                                                              • _memset.LIBCMT ref: 0046C676
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              • _free.LIBCMT ref: 0046C6A4
                                                                                                                                • Part of subcall function 005B4C17: RtlFreeHeap.NTDLL(00000000,00000000,?,005C092F,00000000,?,005C4E2D,?,00000001,?,?,005C4363,00000018,00738D88,0000000C,005C43F3), ref: 005B4C2D
                                                                                                                                • Part of subcall function 005B4C17: GetLastError.KERNEL32(00000000,?,005C092F,00000000,?,005C4E2D,?,00000001,?,?,005C4363,00000018,00738D88,0000000C,005C43F3,?), ref: 005B4C3F
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000,000000FF), ref: 0046C6BA
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,?,000000FF), ref: 0046C6DC
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000,?,?,?,000000FF), ref: 0046C6E4
                                                                                                                              • lua_pushstring.LUA5.1(?,PatchCode,?,00000000,00000000,?,?,?,000000FF), ref: 0046C6EF
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,PatchCode,?,00000000,00000000,?,?,?,000000FF), ref: 0046C6F8
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,PatchCode,?,00000000,00000000,?,?,?,000000FF), ref: 0046C700
                                                                                                                              • lua_pushstring.LUA5.1(?,TransformList,?,000000FD,?,?,?,PatchCode,?,00000000,00000000,?,?,?,000000FF), ref: 0046C70B
                                                                                                                              • lua_pushstring.LUA5.1(?,00000000,?,TransformList,?,000000FD,?,?,?,PatchCode,?,00000000,00000000,?), ref: 0046C714
                                                                                                                              • lua_settable.LUA5.1(?,000000FD), ref: 0046C71F
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,000000FD), ref: 0046C727
                                                                                                                              • lua_pushnil.LUA5.1(?,?,?,?,?,?,?,?,?,?,0000002C), ref: 0046C79D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_pushstring.$H_prolog3$lua_settable.$Heaplua_createtable.lua_remove.$AddressAllocateErrorFreeLastProc_free_malloc_memset_strlen_strnlenlua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushnil.lua_pushnumber.lua_tolstring.lua_type.
                                                                                                                              • String ID: MsiEnumPatchesA$PatchCode$TransformList
                                                                                                                              • API String ID: 2133518626-2687235862
                                                                                                                              • Opcode ID: b2eeebed8aa83fca936270feecf5cec8eb67b7bfd5ebdc36faa9c6ac4d0b0b43
                                                                                                                              • Instruction ID: c973a458384c421d543e03cd1ac9cc13fede592807036721cc0db5903f5fc963
                                                                                                                              • Opcode Fuzzy Hash: b2eeebed8aa83fca936270feecf5cec8eb67b7bfd5ebdc36faa9c6ac4d0b0b43
                                                                                                                              • Instruction Fuzzy Hash: 6C518C71C04109AEDF00EFA5CC929FEBA78AF15319F20412EF511721D2EB7C6A459B6A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0046C1D0 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 172libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0046C1D7
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • GetProcAddress.KERNEL32(00000000,MsiGetFeatureInfoA), ref: 0046C250
                                                                                                                              • _malloc.LIBCMT ref: 0046C2AF
                                                                                                                              • _malloc.LIBCMT ref: 0046C2B9
                                                                                                                              • _memset.LIBCMT ref: 0046C2D0
                                                                                                                              • _memset.LIBCMT ref: 0046C2DC
                                                                                                                              • _free.LIBCMT ref: 0046C312
                                                                                                                              • _free.LIBCMT ref: 0046C320
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000), ref: 0046C329
                                                                                                                              • lua_pushstring.LUA5.1(?,Title,?,00000000,00000000), ref: 0046C334
                                                                                                                              • lua_pushstring.LUA5.1(?,00000000,?,Title,?,00000000,00000000), ref: 0046C33D
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,00000000,?,Title,?,00000000,00000000), ref: 0046C345
                                                                                                                              • lua_pushstring.LUA5.1(?,Description,?,000000FD,?,00000000,?,Title,?,00000000,00000000), ref: 0046C350
                                                                                                                              • lua_pushstring.LUA5.1(?,00000000,?,Description,?,000000FD,?,00000000,?,Title,?,00000000,00000000), ref: 0046C359
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,00000000,?,Description,?,000000FD,?,00000000,?,Title,?,00000000,00000000), ref: 0046C361
                                                                                                                              • lua_pushnil.LUA5.1(?), ref: 0046C3A6
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_pushstring.$H_prolog3$_free_malloc_memsetlua_remove.lua_settable.$AddressProclua_createtable.lua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushnil.lua_tolstring.lua_type.
                                                                                                                              • String ID: Description$MsiGetFeatureInfoA$Title
                                                                                                                              • API String ID: 3318367934-1217384030
                                                                                                                              • Opcode ID: 78f17d0a94f44d829a41ca590364ad89a468b8e82280692d9bf4cf9728bf5080
                                                                                                                              • Instruction ID: 332201f746e81777cc85c237a02401d42fb5d16d94876f0d4af26ef22ab59397
                                                                                                                              • Opcode Fuzzy Hash: 78f17d0a94f44d829a41ca590364ad89a468b8e82280692d9bf4cf9728bf5080
                                                                                                                              • Instruction Fuzzy Hash: 46518D71C00209AACF11BBF5DC86DFEBB79AF45314F20461AF911B2293EA395A41CB65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0047A457 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 156COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0047A45E
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 004599E0: __EH_prolog3.LIBCMT ref: 004599E7
                                                                                                                                • Part of subcall function 004599E0: lua_type.LUA5.1(?,?,00000000,00000000,0000000C,004085AC,?,?,00000024), ref: 00459A16
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_type.LUA5.1(?,00000003), ref: 0047A49C
                                                                                                                              • lua_type.LUA5.1(?,00000004), ref: 0047A4C2
                                                                                                                              • lua_getfield.LUA5.1(?,FFFFD8EE,table,?,?,?,?,?,?,?,?,00000018), ref: 0047A514
                                                                                                                              • lua_pushstring.LUA5.1(?,concat,?,FFFFD8EE,table,?,?,?,?,?,?,?,?,00000018), ref: 0047A51F
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,concat,?,FFFFD8EE,table,?,?,?,?,?,?,?,?,00000018), ref: 0047A527
                                                                                                                              • lua_remove.LUA5.1(?,000000FE,?,000000FE,?,concat,?,FFFFD8EE,table), ref: 0047A52F
                                                                                                                              • lua_type.LUA5.1(?,?,?,000000FE,?,000000FE,?,concat,?,FFFFD8EE,table), ref: 0047A536
                                                                                                                              • lua_pushvalue.LUA5.1(?,00000001), ref: 0047A549
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,00000001), ref: 0047A552
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,00000001), ref: 0047A561
                                                                                                                              • lua_pushnumber.LUA5.1(?), ref: 0047A578
                                                                                                                              • lua_pcall.LUA5.1(?,00000004,00000001,00000000), ref: 0047A587
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,00000B54), ref: 0047A5E5
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3lua_type.$lua_pushstring.$lua_remove.$lua_getfield.lua_gettable.lua_pcall.lua_pushnumber.$lua_gettop.lua_pushvalue.lua_tolstring.
                                                                                                                              • String ID: concat$table
                                                                                                                              • API String ID: 2763045376-3852859565
                                                                                                                              • Opcode ID: f334c298e4b8d4a2b813a0121e1f02ea525bcf25178cbf61419aefbc7405e901
                                                                                                                              • Instruction ID: 729378e8562547643f47e3168c5e5db5af8a3d494ff60f24c949d963e8eba723
                                                                                                                              • Opcode Fuzzy Hash: f334c298e4b8d4a2b813a0121e1f02ea525bcf25178cbf61419aefbc7405e901
                                                                                                                              • Instruction Fuzzy Hash: AC41D521804915B6DB117B668C43FEF3628AF5232AF20421FF110751C7EF7D6B1586AE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004A02D8 Relevance: 33.3, APIs: 22, Instructions: 315COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetTextExtentPoint32A.GDI32(8BBF5050,0069A5D0,00000001,?), ref: 004A0351
                                                                                                                              • GetTextExtentPoint32A.GDI32(8BBF5050,006AA73C,00000001,?), ref: 004A036C
                                                                                                                              • GetTextExtentPoint32A.GDI32(8BBF5050,006AA73C,00000001,?), ref: 004A038A
                                                                                                                              • GetTextExtentPoint32A.GDI32(8BBF5050,006AA738,00000001,?), ref: 004A039F
                                                                                                                              • GetTextExtentPoint32A.GDI32(8BBF5050,006AA734,00000001,?), ref: 004A03BA
                                                                                                                              • GetTextExtentPoint32A.GDI32(8BBF5050,006AA734,00000001,?), ref: 004A03D8
                                                                                                                              • GetTextExtentPoint32A.GDI32(8BBF5050,0069A5D0,00000001,?), ref: 004A03EF
                                                                                                                              • GetTextExtentPoint32A.GDI32(8BBF5050,006AA73C,00000001,?), ref: 004A040A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ExtentPoint32Text
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 223599850-0
                                                                                                                              • Opcode ID: 2b15d5efccecaab91ab110344de1f98632080ca6b4bfb4185b45a256f479e95f
                                                                                                                              • Instruction ID: c7b0f8824267e47ffa9be9d6f7f49696779b508a72a934f96a39fd8dd8f7d195
                                                                                                                              • Opcode Fuzzy Hash: 2b15d5efccecaab91ab110344de1f98632080ca6b4bfb4185b45a256f479e95f
                                                                                                                              • Instruction Fuzzy Hash: DDC1C1B5E0021EAFCB01DF98C9818EEBBFABB19300B118117E915F2250D775AE55DFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004163DE Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 266COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _fseek$__fassign__fread_nolock$_sprintf$H_prolog3H_prolog3___wcstombs_l_helper_strlen_strnlen
                                                                                                                              • String ID: %s%d bytes$%s%d wide chars to %d bytes$UTF-16LE BOM + $UTF-8$UTF-8 BOM +
                                                                                                                              • API String ID: 3796706425-57846469
                                                                                                                              • Opcode ID: 45885c1336fc052a10f8630d6336c53a0d7d78b4887261a67af970b60002fade
                                                                                                                              • Instruction ID: 88dbf6717b2063eba7f152900f0f85e004359ee4b10710b10789509c591bcce3
                                                                                                                              • Opcode Fuzzy Hash: 45885c1336fc052a10f8630d6336c53a0d7d78b4887261a67af970b60002fade
                                                                                                                              • Instruction Fuzzy Hash: 9791A171E00218AEDF249B74CC46FEEBBB9AF45314F0041DAF50DB2292DA359E848F65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0048A08A Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 426COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: BDFILL$BDIMG$CAOff$CstClrs$CstFnts$FTSEP$FontData$Fonts$HDSEP$SBIMG$ScreenH$ScreenW$StyleData$TBIMG$TBTXTX$TBTXTY
                                                                                                                              • API String ID: 431132790-1466213234
                                                                                                                              • Opcode ID: a9887410c176001072c0b38770bf919faa8f6480463712542dfc3399cc363307
                                                                                                                              • Instruction ID: b24a68273a000412876dc90f14d1328d2e240432259003874619c87eb7d62898
                                                                                                                              • Opcode Fuzzy Hash: a9887410c176001072c0b38770bf919faa8f6480463712542dfc3399cc363307
                                                                                                                              • Instruction Fuzzy Hash: EBF1D570500248EFC704EF69C891AEEBBF4BF15308F14856FF45997291DB78AA44CB95
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0046C038 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 133libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0046C03F
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • GetProcAddress.KERNEL32(00000000,MsiGetShortcutTargetA), ref: 0046C080
                                                                                                                                • Part of subcall function 00405435: _strnlen.LIBCMT ref: 0040544E
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000,000000FF,000000FF,000000FF), ref: 0046C116
                                                                                                                              • lua_pushstring.LUA5.1(?,ProductCode,?,00000000,00000000,000000FF,000000FF,000000FF), ref: 0046C121
                                                                                                                              • lua_pushstring.LUA5.1(?,000000FF,?,ProductCode,?,00000000,00000000,000000FF,000000FF,000000FF), ref: 0046C12A
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,000000FF,?,ProductCode,?,00000000,00000000,000000FF,000000FF,000000FF), ref: 0046C132
                                                                                                                              • lua_pushstring.LUA5.1(?,FeatureId,?,000000FD,?,000000FF,?,ProductCode,?,00000000,00000000,000000FF,000000FF,000000FF), ref: 0046C13D
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,FeatureId,?,000000FD,?,000000FF,?,ProductCode,?,00000000,00000000,000000FF,000000FF,000000FF), ref: 0046C146
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,FeatureId,?,000000FD,?,000000FF,?,ProductCode,?,00000000,00000000,000000FF), ref: 0046C14E
                                                                                                                              • lua_pushstring.LUA5.1(?,ComponentCode,?,000000FD,?,?,?,FeatureId,?,000000FD,?,000000FF,?,ProductCode,?,00000000), ref: 0046C159
                                                                                                                              • lua_pushstring.LUA5.1(?,?), ref: 0046C165
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?), ref: 0046C16D
                                                                                                                              • lua_pushnil.LUA5.1(?), ref: 0046C1B6
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_pushstring.$H_prolog3$lua_settable.$lua_remove.$AddressProc_strnlenlua_createtable.lua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushnil.lua_tolstring.lua_type.
                                                                                                                              • String ID: ComponentCode$FeatureId$MsiGetShortcutTargetA$ProductCode
                                                                                                                              • API String ID: 654485782-3671626826
                                                                                                                              • Opcode ID: 08a6e8885ec5c1f1cb12d683aef864db011b737212b0346eec4d3d908810f9e8
                                                                                                                              • Instruction ID: a7f2cd46e842152db73f185060fea67f7e885aa9e7e59e1fb710ed679d5408cf
                                                                                                                              • Opcode Fuzzy Hash: 08a6e8885ec5c1f1cb12d683aef864db011b737212b0346eec4d3d908810f9e8
                                                                                                                              • Instruction Fuzzy Hash: 99418031804615AADB01BBA6CC96EFF76349F52729F50022EF421762D3EE3C5A01967A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0047A60B Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 125COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0047A612
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 004599E0: __EH_prolog3.LIBCMT ref: 004599E7
                                                                                                                                • Part of subcall function 004599E0: lua_type.LUA5.1(?,?,00000000,00000000,0000000C,004085AC,?,?,00000024), ref: 00459A16
                                                                                                                              • lua_type.LUA5.1(?,00000002,?,00000001,?,00000001,?,?,?,?,?,0000000C), ref: 0047A63C
                                                                                                                              • lua_type.LUA5.1(?,00000002), ref: 0047A64C
                                                                                                                              • lua_type.LUA5.1(?,00000002), ref: 0047A65A
                                                                                                                              • lua_getfield.LUA5.1(?,FFFFD8EE,table), ref: 0047A685
                                                                                                                              • lua_pushstring.LUA5.1(?,sort,?,FFFFD8EE,table), ref: 0047A690
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,sort,?,FFFFD8EE,table), ref: 0047A698
                                                                                                                              • lua_remove.LUA5.1(?,000000FE,?,000000FE,?,sort,?,FFFFD8EE,table), ref: 0047A6A0
                                                                                                                              • lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,sort,?,FFFFD8EE,table), ref: 0047A6A8
                                                                                                                              • lua_pushvalue.LUA5.1(?,00000001), ref: 0047A6B7
                                                                                                                              • lua_pushvalue.LUA5.1(?,00000002), ref: 0047A6C9
                                                                                                                              • lua_pcall.LUA5.1(?,00000001,00000000,00000000), ref: 0047A6D6
                                                                                                                              • lua_type.LUA5.1(?,00000002), ref: 0047A6FE
                                                                                                                              • lua_type.LUA5.1(?,00000002), ref: 0047A70D
                                                                                                                              • lua_remove.LUA5.1(?,000000FF), ref: 0047A723
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_type.$lua_remove.$H_prolog3$lua_getfield.lua_gettable.lua_pcall.lua_pushstring.lua_pushvalue.$lua_gettop.
                                                                                                                              • String ID: sort$table
                                                                                                                              • API String ID: 3434745935-659178806
                                                                                                                              • Opcode ID: f55190642582b034b9f691aec5fbf36227eedc32975e74e9a7802254d07cbe1f
                                                                                                                              • Instruction ID: a079384774385243334ef706f7c4630cb4ff085ccddf974d8c4a86bfc47fe3f8
                                                                                                                              • Opcode Fuzzy Hash: f55190642582b034b9f691aec5fbf36227eedc32975e74e9a7802254d07cbe1f
                                                                                                                              • Instruction Fuzzy Hash: 3031D22160D61539EA28366A5C47FEF12288F5237EF64820FF424A51C3EE6C7F5240BE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004A0613 Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 378windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 004A061D
                                                                                                                              • _memmove.LIBCMT ref: 004A0638
                                                                                                                              • CopyRect.USER32(?,?), ref: 004A0658
                                                                                                                              • CopyRect.USER32(?,?), ref: 004A066A
                                                                                                                              • SendMessageA.USER32(?,?,00000000,000001A1), ref: 004A06D5
                                                                                                                                • Part of subcall function 004B8974: IsWindowEnabled.USER32(?), ref: 004B897D
                                                                                                                              • GetSysColor.USER32(0000000D), ref: 004A0719
                                                                                                                              • CopyRect.USER32(?,?), ref: 004A07DA
                                                                                                                              • CopyRect.USER32(?,?), ref: 004A0821
                                                                                                                              • FillRect.USER32(?,?,?), ref: 004A0886
                                                                                                                              • GetSysColor.USER32(00000008), ref: 004A0944
                                                                                                                              • GetSysColor.USER32(00000014), ref: 004A094E
                                                                                                                              • GetBkMode.GDI32(?), ref: 004A096D
                                                                                                                              • DrawFrameControl.USER32(?,?,00000004,?), ref: 004A0A9D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Rect$Copy$Color$ControlDrawEnabledFillFrameH_prolog3_MessageModeSendWindow_memmove
                                                                                                                              • String ID: $t$@$BUTTON
                                                                                                                              • API String ID: 3719857478-1460908638
                                                                                                                              • Opcode ID: 30ff44c5568c476d7d6a26e36cd1cb354780b95db2c810152c0a01103113bffd
                                                                                                                              • Instruction ID: 45b3182a2ffadc1484c371992de330d9552246b19044b1529ee1b23b67e8f95f
                                                                                                                              • Opcode Fuzzy Hash: 30ff44c5568c476d7d6a26e36cd1cb354780b95db2c810152c0a01103113bffd
                                                                                                                              • Instruction Fuzzy Hash: 56F16C75A002299FDF15DFA4CC45BADBBB5BF09300F00419AE90AEB292DB34AD85CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0045E145 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 238COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0045E14F
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                              • lua_pushnil.LUA5.1(?,?,00000A8F,00000260), ref: 0045E178
                                                                                                                              • lua_pushnil.LUA5.1(?,?,00000003,0000000A), ref: 0045E1D4
                                                                                                                              • lua_next.LUA5.1(?,00000003,?,?,00000003,0000000A), ref: 0045E1DC
                                                                                                                              • lua_type.LUA5.1(?,00000005,?,?,?,00000000,?,?,?,?,?,?,?,0000000A), ref: 0045E22F
                                                                                                                              • lua_type.LUA5.1(?,00000005,?,?,?,00000000,?,?,?,?,?,?,?,0000000A), ref: 0045E23E
                                                                                                                              • lua_type.LUA5.1(?,00000006,?,?,?,00000000,?,?,?,?,?,?,?,0000000A), ref: 0045E25C
                                                                                                                              • lua_type.LUA5.1(?,00000006,?,?,?,00000000,?,?,?,?,?,?,?,0000000A), ref: 0045E26B
                                                                                                                              • lua_type.LUA5.1(?,00000007,?,?,?,00000000,?,?,?,?,?,?,?,0000000A), ref: 0045E289
                                                                                                                              • lua_type.LUA5.1(?,00000007,?,?,?,00000000,?,?,?,?,?,?,?,0000000A), ref: 0045E298
                                                                                                                                • Part of subcall function 004593D3: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 004593E5
                                                                                                                                • Part of subcall function 004593D3: lua_pushstring.LUA5.1(?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 004593F0
                                                                                                                                • Part of subcall function 004593D3: lua_gettable.LUA5.1(?,000000FE,?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 004593F8
                                                                                                                                • Part of subcall function 004593D3: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 00459400
                                                                                                                                • Part of subcall function 004593D3: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 00459408
                                                                                                                                • Part of subcall function 004593D3: lua_pushnumber.LUA5.1(?,?,?,?,?,?,?,?,?,?,?,00407717,?,00000000), ref: 0045941E
                                                                                                                                • Part of subcall function 004593D3: lua_pcall.LUA5.1(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00407717), ref: 0045942A
                                                                                                                                • Part of subcall function 004593D3: lua_remove.LUA5.1(?,000000FF,?,?,?,?,?,?,?,?,00407717,?,00000000), ref: 00459439
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_type.$lua_remove.$lua_getfield.lua_gettable.lua_pcall.lua_pushnil.lua_pushstring.$H_prolog3lua_next.lua_pushnumber.
                                                                                                                              • String ID: CANCEL
                                                                                                                              • API String ID: 1121822986-2800616180
                                                                                                                              • Opcode ID: 867cc3a0f5ab3008c997e907d93be17899ab25b816bcc57899a7ff1b163c14e5
                                                                                                                              • Instruction ID: 37e720578c5f2fc1c70d12af50fcc7e46d1cfd8ecfd47baafa11523edcaf63bb
                                                                                                                              • Opcode Fuzzy Hash: 867cc3a0f5ab3008c997e907d93be17899ab25b816bcc57899a7ff1b163c14e5
                                                                                                                              • Instruction Fuzzy Hash: A871F731909214B9EB19B666CC07FEF76689F12315F20015FF911761C3EE7C6B0A866E
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0048854B Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 151windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00488552
                                                                                                                              • GetDC.USER32(?), ref: 0048856D
                                                                                                                              • CreateHalftonePalette.GDI32(?,00000000), ref: 0048857E
                                                                                                                              • ReleaseDC.USER32(?,?), ref: 00488593
                                                                                                                              • GetSystemMenu.USER32(?,00000000), ref: 0048859E
                                                                                                                              • RemoveMenu.USER32(?,0000F000,00000000,00000000), ref: 004885C4
                                                                                                                              • RemoveMenu.USER32(?,0000F030,00000000), ref: 004885D0
                                                                                                                              • RemoveMenu.USER32(?,0000F020,00000000), ref: 004885DC
                                                                                                                              • RemoveMenu.USER32(?,0000F120,00000000), ref: 004885E8
                                                                                                                              • ModifyMenuA.USER32(?,0000F060,00000001,00000000,00000000), ref: 0048861D
                                                                                                                              • RemoveMenu.USER32(?,00000001,00000400), ref: 0048862D
                                                                                                                              • RemoveMenu.USER32(?,00000001,00000400), ref: 00488639
                                                                                                                              • _strlen.LIBCMT ref: 00488683
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Menu$Remove$CreateH_prolog3HalftoneModifyPaletteReleaseSystem_strlen
                                                                                                                              • String ID: .ini$\irsetup.skin$_DisableCloseButton
                                                                                                                              • API String ID: 1932109235-2821109618
                                                                                                                              • Opcode ID: bda68505ea16c8607c5d0b049c1e90069847d078455ad39c877f05b3863ff4f0
                                                                                                                              • Instruction ID: 40072daacc08c0f9f9c2a752e5a4e5e2f0efc07153967998846ec6dfb7f039ea
                                                                                                                              • Opcode Fuzzy Hash: bda68505ea16c8607c5d0b049c1e90069847d078455ad39c877f05b3863ff4f0
                                                                                                                              • Instruction Fuzzy Hash: 64519F71900205ABDB10ABB4CD46FAE7BAABF00314F14456EF515BB5E2CF78A900CB99
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00476601 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 123COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00476608
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_getfield.LUA5.1(?,FFFFD8EE,string), ref: 00476677
                                                                                                                              • lua_pushstring.LUA5.1(?,sub,?,FFFFD8EE,string), ref: 00476682
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,sub,?,FFFFD8EE,string), ref: 0047668A
                                                                                                                              • lua_remove.LUA5.1(?,000000FE,?,000000FE,?,sub,?,FFFFD8EE,string), ref: 00476692
                                                                                                                              • lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,sub,?,FFFFD8EE,string), ref: 0047669A
                                                                                                                              • lua_pushstring.LUA5.1(?,?), ref: 004766AB
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,?), ref: 004766B7
                                                                                                                              • lua_pushnumber.LUA5.1(?,?), ref: 004766C9
                                                                                                                              • lua_pcall.LUA5.1(?,00000003,00000001,00000000,?,?), ref: 004766D4
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,00000B54), ref: 00476731
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3lua_pushstring.$lua_remove.$lua_getfield.lua_gettable.lua_pcall.lua_pushnumber.lua_type.$lua_gettop.lua_tolstring.
                                                                                                                              • String ID: string$sub
                                                                                                                              • API String ID: 2420918779-840957247
                                                                                                                              • Opcode ID: 1ab2a4fc334032bd4e05942922ee8a8d2bf0f6dddc943eb54ba08a9d30faafee
                                                                                                                              • Instruction ID: c741ae442bacf06beb6974f6fa366705d07439002c83e0b6e86d99caf6ce0dfe
                                                                                                                              • Opcode Fuzzy Hash: 1ab2a4fc334032bd4e05942922ee8a8d2bf0f6dddc943eb54ba08a9d30faafee
                                                                                                                              • Instruction Fuzzy Hash: A1311830908815B6CB157B668D43EEF36269F42319F60421FF431762C7DE3C2B0282AE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004764BE Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 113COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004764C5
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_getfield.LUA5.1(?,FFFFD8EE,string), ref: 00476521
                                                                                                                              • lua_pushstring.LUA5.1(?,sub,?,FFFFD8EE,string), ref: 0047652C
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,sub,?,FFFFD8EE,string), ref: 00476534
                                                                                                                              • lua_remove.LUA5.1(?,000000FE,?,000000FE,?,sub,?,FFFFD8EE,string), ref: 0047653C
                                                                                                                              • lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,sub,?,FFFFD8EE,string), ref: 00476544
                                                                                                                              • lua_pushstring.LUA5.1(?,?), ref: 00476555
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,?), ref: 00476560
                                                                                                                              • lua_pushnumber.LUA5.1(?,?), ref: 0047656F
                                                                                                                              • lua_pcall.LUA5.1(?,00000003,00000001,00000000,?,?), ref: 0047657B
                                                                                                                              • lua_tolstring.LUA5.1(?,000000FF,00000000), ref: 004765A5
                                                                                                                              • lua_remove.LUA5.1(?,000000FF,00000000), ref: 004765B9
                                                                                                                              • lua_remove.LUA5.1(?,000000FF), ref: 004765C3
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,00000B54), ref: 004765DA
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_remove.$H_prolog3lua_pushstring.$lua_getfield.lua_gettable.lua_pcall.lua_pushnumber.lua_tolstring.lua_type.$lua_gettop.
                                                                                                                              • String ID: string$sub
                                                                                                                              • API String ID: 739098303-840957247
                                                                                                                              • Opcode ID: 8ca6110a9fe8f9b3f25d1b7a59d5bf1d1bf29ce844803788db609b00468a439c
                                                                                                                              • Instruction ID: 1acc04b04f938ad394cc40b145fb0c1beef07f6fdeed691572ec4d10448d3648
                                                                                                                              • Opcode Fuzzy Hash: 8ca6110a9fe8f9b3f25d1b7a59d5bf1d1bf29ce844803788db609b00468a439c
                                                                                                                              • Instruction Fuzzy Hash: 9A310730909915B2DA117B668C43FEE31159F1232AF60461FF430751D7DE6D3B0542BE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0048A5E6 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 260COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0048A5ED
                                                                                                                                • Part of subcall function 004150D3: __EH_prolog3.LIBCMT ref: 004150DA
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 004414FE: __EH_prolog3.LIBCMT ref: 00441505
                                                                                                                                • Part of subcall function 00489D6A: __EH_prolog3.LIBCMT ref: 00489D71
                                                                                                                                • Part of subcall function 00441614: __EH_prolog3.LIBCMT ref: 0044161B
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415183
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415210
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415231
                                                                                                                                • Part of subcall function 00489C67: __EH_prolog3.LIBCMT ref: 00489C6E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_strlen
                                                                                                                              • String ID: BDFILL$BDIMG$CstClrs$CstFnts$FTSEP$Fonts$HDSEP$SBIMG$ScreenH$ScreenW$StyleData$TBIMG$TBTXTX$TBTXTY
                                                                                                                              • API String ID: 3239654323-2045141102
                                                                                                                              • Opcode ID: 2620617e622f2057962bd5b7a64754a1eed7a6bf336116be529e5434488403d3
                                                                                                                              • Instruction ID: 01c08598fef3520bf03dc9c758177b8d0310cde44e156d9744eaa0b036d1fb8c
                                                                                                                              • Opcode Fuzzy Hash: 2620617e622f2057962bd5b7a64754a1eed7a6bf336116be529e5434488403d3
                                                                                                                              • Instruction Fuzzy Hash: 04A19270500288FFCB04EB79C851EED7BB8AF11308F14455EB56A672E2DB78AB48C795
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00474082 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 123COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00474089
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 004599E0: __EH_prolog3.LIBCMT ref: 004599E7
                                                                                                                                • Part of subcall function 004599E0: lua_type.LUA5.1(?,?,00000000,00000000,0000000C,004085AC,?,?,00000024), ref: 00459A16
                                                                                                                              • lua_pushstring.LUA5.1(?,Text), ref: 004740E4
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,Text), ref: 004740EC
                                                                                                                              • lua_isstring.LUA5.1(?,000000FF,?,000000FE,?,Text), ref: 004740F4
                                                                                                                              • lua_tolstring.LUA5.1(?,000000FF,00000000), ref: 00474104
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_settop.LUA5.1(?,000000FE), ref: 00474147
                                                                                                                              • lua_pushstring.LUA5.1(?,Visible,?,000000FE), ref: 00474152
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,Visible,?,000000FE), ref: 0047415A
                                                                                                                              • lua_type.LUA5.1(?,000000FF,?,000000FE,?,Visible,?,000000FE), ref: 00474162
                                                                                                                              • lua_toboolean.LUA5.1(?,000000FF), ref: 00474172
                                                                                                                              • lua_settop.LUA5.1(?,000000FE), ref: 0047418D
                                                                                                                              • IsWindow.USER32(?), ref: 004741AB
                                                                                                                              • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 004741D2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$lua_gettable.lua_pushstring.lua_type.$Windowlua_remove.lua_settop.$Redrawlua_getfield.lua_gettop.lua_isstring.lua_pcall.lua_toboolean.lua_tolstring.
                                                                                                                              • String ID: Text$Visible
                                                                                                                              • API String ID: 3329575268-2024253636
                                                                                                                              • Opcode ID: da15b1a1aa47b293cecce73a964996910093aea52ce3f15b9b3759f0e453c8da
                                                                                                                              • Instruction ID: b33fb3f4a4071cfcdc984f3dfaa21ba9b3df6314bfe2800ab63a70f5495af573
                                                                                                                              • Opcode Fuzzy Hash: da15b1a1aa47b293cecce73a964996910093aea52ce3f15b9b3759f0e453c8da
                                                                                                                              • Instruction Fuzzy Hash: 0831D771908111ABCB15BF668C86EBE3279AF42735F50435EF8247A1D3DF3C6D008A69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0046A3C1 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 113libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                              • lua_type.LUA5.1(?,00000002,?,00000001,?,00000001,?), ref: 0046A3F8
                                                                                                                              • lua_type.LUA5.1(?,00000002), ref: 0046A408
                                                                                                                              • GetProcAddress.KERNEL32(00000000,MsiSetInternalUI), ref: 0046A43A
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000), ref: 0046A453
                                                                                                                              • lua_pushstring.LUA5.1(?,PreviousInterface,?,00000000,00000000), ref: 0046A45E
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,00000000,00000000), ref: 0046A46D
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,00000000,00000000), ref: 0046A475
                                                                                                                              • lua_pushstring.LUA5.1(?,PreviousWindowHandle,?,000000FD,?,?,00000000,00000000), ref: 0046A480
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0046A495
                                                                                                                              • lua_pushnil.LUA5.1(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0046A4A0
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,?,?,?,?,?,?,00000000), ref: 0046A4A9
                                                                                                                              • lua_pushnil.LUA5.1(?), ref: 0046A4D3
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_pushstring.lua_type.$lua_pushnil.lua_pushnumber.lua_remove.lua_settable.$AddressH_prolog3Proclua_createtable.lua_getfield.lua_gettable.lua_gettop.lua_pcall.
                                                                                                                              • String ID: MsiSetInternalUI$PreviousInterface$PreviousWindowHandle
                                                                                                                              • API String ID: 2704171997-46935026
                                                                                                                              • Opcode ID: 8b384ffcd3f58a95fde6f5cace056d15ee1f47a9f10f934fcf533fe58a7b0ceb
                                                                                                                              • Instruction ID: 28c8c3a23f819620be5e5fb6aeb083c1c34e6726e28d015fb74702eece21acf9
                                                                                                                              • Opcode Fuzzy Hash: 8b384ffcd3f58a95fde6f5cace056d15ee1f47a9f10f934fcf533fe58a7b0ceb
                                                                                                                              • Instruction Fuzzy Hash: 2731D531809A14B9D7117F669C0BDDE36689F0232AF20454BF410B10C7FEBD6B558A6F
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00418503 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 246COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0041853B
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: (No SP)$ (or newer)$ SP%d$All$Any Future OS$None$Unknown$Windows 7$Windows Server 2003$Windows Server 2008$Windows Server 2008 R2$Windows Vista$Windows XP
                                                                                                                              • API String ID: 431132790-1951351909
                                                                                                                              • Opcode ID: 7d7949f1c222d791e5fa6620ea9f3269ef888967e30cecc9650422592fb2f088
                                                                                                                              • Instruction ID: c102b485ada45b4dd02179fe7e11188ef3d93e85a2b5413e3a668c9482a12bcb
                                                                                                                              • Opcode Fuzzy Hash: 7d7949f1c222d791e5fa6620ea9f3269ef888967e30cecc9650422592fb2f088
                                                                                                                              • Instruction Fuzzy Hash: DCA14C70A00119EBDF04EBE5CD92AFE777ABF40718F90055EB121772D2DBB82A059B45
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00418534 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 227COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0041853B
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: (No SP)$ (or newer)$ SP%d$All$Any Future OS$None$Unknown$Windows 7$Windows Server 2003$Windows Server 2008$Windows Server 2008 R2$Windows Vista$Windows XP
                                                                                                                              • API String ID: 431132790-1951351909
                                                                                                                              • Opcode ID: f55b7eef662e8fd5a7d792ba09cf5ba8f609ccec20d9d975134947241c6a6ed9
                                                                                                                              • Instruction ID: ac6c26443bddacdbfff2cf84929eda08a93c3b9c436042f8103cc21ff0f42f3b
                                                                                                                              • Opcode Fuzzy Hash: f55b7eef662e8fd5a7d792ba09cf5ba8f609ccec20d9d975134947241c6a6ed9
                                                                                                                              • Instruction Fuzzy Hash: CB913970A00119EBDF04EBE5CD92BFEB6B9BF44718F90055EB121772D2DBB82A049B45
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004760DF Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 99COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004760E6
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_getfield.LUA5.1(?,FFFFD8EE,string), ref: 00476130
                                                                                                                              • lua_pushstring.LUA5.1(?,lower,?,FFFFD8EE,string), ref: 0047613B
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,lower,?,FFFFD8EE,string), ref: 00476143
                                                                                                                              • lua_remove.LUA5.1(?,000000FE,?,000000FE,?,lower,?,FFFFD8EE,string), ref: 0047614B
                                                                                                                              • lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,lower,?,FFFFD8EE,string), ref: 00476153
                                                                                                                              • lua_pushstring.LUA5.1(?,?), ref: 00476164
                                                                                                                              • lua_pcall.LUA5.1(?,00000001,00000001,00000000,?,?), ref: 0047616E
                                                                                                                              • lua_tolstring.LUA5.1(?,000000FF,00000000), ref: 00476198
                                                                                                                              • lua_remove.LUA5.1(?,000000FF,00000000), ref: 004761AC
                                                                                                                              • lua_remove.LUA5.1(?,000000FF), ref: 004761B6
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,00000B54), ref: 004761CD
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_remove.$H_prolog3lua_pushstring.$lua_getfield.lua_gettable.lua_pcall.lua_tolstring.lua_type.$lua_gettop.
                                                                                                                              • String ID: lower$string
                                                                                                                              • API String ID: 2578256382-1832601466
                                                                                                                              • Opcode ID: 0bbf009903d023b02ab90b4e469bc4e3da1777ac23d8b98483b61f14175d6793
                                                                                                                              • Instruction ID: d8c817d094db9fc3bd46a44aee96dbc3d44f9042de995e5d4375bbf5802fa746
                                                                                                                              • Opcode Fuzzy Hash: 0bbf009903d023b02ab90b4e469bc4e3da1777ac23d8b98483b61f14175d6793
                                                                                                                              • Instruction Fuzzy Hash: 1E21E12190981576DA017AA68D42FEF311ADF1232EFA4431BB431721D7DE2C2F0A41BE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004761F4 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 99COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004761FB
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_getfield.LUA5.1(?,FFFFD8EE,string), ref: 00476245
                                                                                                                              • lua_pushstring.LUA5.1(?,upper,?,FFFFD8EE,string), ref: 00476250
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,upper,?,FFFFD8EE,string), ref: 00476258
                                                                                                                              • lua_remove.LUA5.1(?,000000FE,?,000000FE,?,upper,?,FFFFD8EE,string), ref: 00476260
                                                                                                                              • lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,upper,?,FFFFD8EE,string), ref: 00476268
                                                                                                                              • lua_pushstring.LUA5.1(?,?), ref: 00476279
                                                                                                                              • lua_pcall.LUA5.1(?,00000001,00000001,00000000,?,?), ref: 00476283
                                                                                                                              • lua_tolstring.LUA5.1(?,000000FF,00000000), ref: 004762AD
                                                                                                                              • lua_remove.LUA5.1(?,000000FF,00000000), ref: 004762C1
                                                                                                                              • lua_remove.LUA5.1(?,000000FF), ref: 004762CB
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,00000B54), ref: 004762E2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_remove.$H_prolog3lua_pushstring.$lua_getfield.lua_gettable.lua_pcall.lua_tolstring.lua_type.$lua_gettop.
                                                                                                                              • String ID: string$upper
                                                                                                                              • API String ID: 2578256382-3686168835
                                                                                                                              • Opcode ID: 52a1ba911ea83d90a63660a3c0ed3a89cae9551f20ee656187dfe752018c64e6
                                                                                                                              • Instruction ID: 5dd6ced2a2f96a8709847fe05ba91b953df642c1a39833d93c808350270ea6da
                                                                                                                              • Opcode Fuzzy Hash: 52a1ba911ea83d90a63660a3c0ed3a89cae9551f20ee656187dfe752018c64e6
                                                                                                                              • Instruction Fuzzy Hash: F921F36190982976DA117AA68C42FEF31199F1232EF60435BF431721D7DE2C2F0641BE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0045E48E Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000), ref: 0045E4D6
                                                                                                                              • lua_pushstring.LUA5.1(?,Text,?,00000000,00000000), ref: 0045E4E1
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,Text,?,00000000,00000000), ref: 0045E4EA
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,Text,?,00000000,00000000), ref: 0045E4F2
                                                                                                                              • lua_pushstring.LUA5.1(?,Visible,?,000000FD,?,?,?,Text,?,00000000,00000000), ref: 0045E4FD
                                                                                                                              • lua_pushboolean.LUA5.1(?,?,?,Visible,?,000000FD,?,?,?,Text,?,00000000,00000000), ref: 0045E506
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,Visible,?,000000FD,?,?,?,Text,?,00000000,00000000), ref: 0045E50E
                                                                                                                              • lua_pushstring.LUA5.1(?,Enabled,?,000000FD,?,?,?,Visible,?,000000FD,?,?,?,Text,?,00000000), ref: 0045E519
                                                                                                                              • lua_pushboolean.LUA5.1(?,?), ref: 0045E525
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?), ref: 0045E52D
                                                                                                                              • lua_pushnil.LUA5.1(?), ref: 0045E547
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_pushstring.$lua_settable.$lua_pushboolean.lua_remove.$H_prolog3lua_createtable.lua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushnil.lua_type.
                                                                                                                              • String ID: Enabled$Text$Visible
                                                                                                                              • API String ID: 3799973209-1258828939
                                                                                                                              • Opcode ID: 051eda2af53097124cb278c6a91307d189c3b1c025535384f653004ac57ddfcb
                                                                                                                              • Instruction ID: 825a8f75a6255a7c3cc1c566085d0e7618f0f6c063896b62d9b2026ba8801a75
                                                                                                                              • Opcode Fuzzy Hash: 051eda2af53097124cb278c6a91307d189c3b1c025535384f653004ac57ddfcb
                                                                                                                              • Instruction Fuzzy Hash: 6C118E32409A21BADA127E678C03FCF26199F0632AF10021EF514740C7AF6D7B0242BE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0045204D Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 273COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00452054
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3_strlen
                                                                                                                              • String ID: A bad pointer has been used.$Advapi32.dll$CreateProcessWithLogonW
                                                                                                                              • API String ID: 782648989-4276160095
                                                                                                                              • Opcode ID: c9b9f9e8bf8eb93798e9cba910c580d904ec00765437bfcf8e952729a42d8a07
                                                                                                                              • Instruction ID: 5a01151bb554aea6482553f4779d2a11d8590217cae0bc2ee3f03dba2be7bda2
                                                                                                                              • Opcode Fuzzy Hash: c9b9f9e8bf8eb93798e9cba910c580d904ec00765437bfcf8e952729a42d8a07
                                                                                                                              • Instruction Fuzzy Hash: 2BA1AE71800208EFCB15DFA9CD45AAEBBB5FF09315F14411FF910B62A2DB789944CBA8
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0047018C Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 188COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00470193
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_type.LUA5.1(?,00000002), ref: 004701DA
                                                                                                                              • lua_type.LUA5.1(?,00000002), ref: 004701E9
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              • lua_type.LUA5.1(?,00000003), ref: 00470217
                                                                                                                              • lua_type.LUA5.1(?,00000003), ref: 0047022A
                                                                                                                              • lua_pushnil.LUA5.1(?,?,00000003), ref: 00470242
                                                                                                                              • lua_next.LUA5.1(?,00000003,?,?,00000003), ref: 0047024A
                                                                                                                              • lua_tonumber.LUA5.1(?,000000FE), ref: 0047025E
                                                                                                                              • lua_tolstring.LUA5.1(?,000000FF,00000000,?,000000FE), ref: 0047026A
                                                                                                                              • _strlen.LIBCMT ref: 0047027C
                                                                                                                              • lua_settop.LUA5.1(?,000000FE,006A333C,00000000,00000000), ref: 0047028F
                                                                                                                              • lua_next.LUA5.1(?,00000003,?,000000FE,006A333C,00000000,00000000), ref: 00470297
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_type.$H_prolog3$_strlenlua_next.lua_remove.lua_tolstring.$lua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushnil.lua_pushstring.lua_settop.lua_tonumber.
                                                                                                                              • String ID: I
                                                                                                                              • API String ID: 1513353274-517184014
                                                                                                                              • Opcode ID: 173dab58629844aaf4ce248e6121166c3139417fd16e6036ad108765569909ac
                                                                                                                              • Instruction ID: 7952d8d8e5506a93917375c2c267faf28ae85828bc702c03e3360924aa2bef79
                                                                                                                              • Opcode Fuzzy Hash: 173dab58629844aaf4ce248e6121166c3139417fd16e6036ad108765569909ac
                                                                                                                              • Instruction Fuzzy Hash: E451D472804105EADB05EBA9CC42BFF7678AF11728F14425FF425B62D3DE3C6A04827A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0047A392 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 80COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 004599E0: __EH_prolog3.LIBCMT ref: 004599E7
                                                                                                                                • Part of subcall function 004599E0: lua_type.LUA5.1(?,?,00000000,00000000,0000000C,004085AC,?,?,00000024), ref: 00459A16
                                                                                                                              • lua_getfield.LUA5.1(?,FFFFD8EE,table,?,00000001,?,00000003,?), ref: 0047A3BB
                                                                                                                              • lua_pushstring.LUA5.1(?,insert,?,FFFFD8EE,table,?,00000001,?,00000003,?), ref: 0047A3C6
                                                                                                                              • lua_gettable.LUA5.1(?,000000FE,?,insert,?,FFFFD8EE,table,?,00000001,?,00000003,?), ref: 0047A3CE
                                                                                                                              • lua_remove.LUA5.1(?,000000FE,?,000000FE,?,insert,?,FFFFD8EE,table,?,00000001,?,00000003,?), ref: 0047A3D6
                                                                                                                              • lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,insert,?,FFFFD8EE,table,?,00000001,?,00000003,?), ref: 0047A3DE
                                                                                                                              • lua_pushvalue.LUA5.1(?,00000001), ref: 0047A3EE
                                                                                                                              • lua_pushvalue.LUA5.1(?,00000002,?,00000001), ref: 0047A3F6
                                                                                                                              • lua_pushvalue.LUA5.1(?,00000003,?,00000002,?,00000001), ref: 0047A3FE
                                                                                                                              • lua_pcall.LUA5.1(?,00000003,00000000,00000000,?,00000003,?,00000002,?,00000001), ref: 0047A40A
                                                                                                                              • lua_remove.LUA5.1(?,000000FF), ref: 0047A432
                                                                                                                              • lua_remove.LUA5.1(?,000000FF), ref: 0047A43C
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_remove.$lua_pushvalue.lua_type.$H_prolog3lua_getfield.lua_gettable.lua_pcall.lua_pushstring.$lua_gettop.
                                                                                                                              • String ID: insert$table
                                                                                                                              • API String ID: 3930532097-2640480790
                                                                                                                              • Opcode ID: c6dcd18112f68fdb0b11d56df03f55cf28ae34e2ceff18d38f8a62fd1250aac0
                                                                                                                              • Instruction ID: 9ce1574715025ebb06485de8299a7057103cd0dd73f1c5d5e9e245df7a70f8f7
                                                                                                                              • Opcode Fuzzy Hash: c6dcd18112f68fdb0b11d56df03f55cf28ae34e2ceff18d38f8a62fd1250aac0
                                                                                                                              • Instruction Fuzzy Hash: F7115E2124DA2531E5223A275C47FDE11098F1372FF60821BF524752C7AE8E2B1241FF
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0046A55B Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 160libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0046A565
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0045198A: __EH_prolog3.LIBCMT ref: 00451991
                                                                                                                              • _strlen.LIBCMT ref: 0046A666
                                                                                                                                • Part of subcall function 00403C07: _strnlen.LIBCMT ref: 00403C37
                                                                                                                                • Part of subcall function 00403C07: _memcpy_s.LIBCMT ref: 00403C6B
                                                                                                                              • GetFileAttributesA.KERNEL32(?,\msi.dll,00000000,NONE,00000003,?,?,?,?,00000001,00000000,00000124,00406088,00000000,00000008), ref: 0046A681
                                                                                                                              • LoadLibraryA.KERNEL32(msi.dll,00000003,?,?,?,?,00000001,00000000,00000124,00406088,00000000,00000008), ref: 0046A6BD
                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,00000001,00000000,00000124,00406088,00000000,00000008), ref: 0046A6DA
                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00000000,00000124,00406088,00000000,00000008), ref: 0046A75D
                                                                                                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0046A773
                                                                                                                                • Part of subcall function 00405AB7: __mbsinc.LIBCMT ref: 00405AF2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FileH_prolog3Library$AttributesDirectoryFreeH_prolog3_LoadModuleNameSystem__mbsinc_memcpy_s_strlen_strnlen
                                                                                                                              • String ID: InstallerLocation$NONE$Software\Microsoft\Windows\CurrentVersion\Installer$\msi.dll$msi.dll
                                                                                                                              • API String ID: 3869650526-3461350423
                                                                                                                              • Opcode ID: 3f15ebf9e1e3fb15390a88a787854da8d6f84940e1ff5b952d3380169ac6746e
                                                                                                                              • Instruction ID: eb28d908747ea0b48ba96ae4b783b69686a504933810538d78eee2cb551ddb9f
                                                                                                                              • Opcode Fuzzy Hash: 3f15ebf9e1e3fb15390a88a787854da8d6f84940e1ff5b952d3380169ac6746e
                                                                                                                              • Instruction Fuzzy Hash: 435193719002189BDB14EB69CC96BDDB7B8AF15314F0041EEB509B32D2DA385F44CFA6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004065D1 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 142COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004065D8
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000,00000000,00000020), ref: 00406601
                                                                                                                              • lua_setfield.LUA5.1(?,FFFFD8EE,_CommandLineArgs), ref: 00406778
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_pushnumber.LUA5.1(?), ref: 00406726
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?), ref: 00406734
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?), ref: 00406741
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$lua_createtable.lua_pushnumber.lua_pushstring.lua_setfield.lua_settable.
                                                                                                                              • String ID: _CommandLineArgs$__IRAFN$__IRAOFF$__IRCT$__IRSID$__IRTSS
                                                                                                                              • API String ID: 1988043533-4248917902
                                                                                                                              • Opcode ID: fa214d7008065ca1ca5b6c40969339079b8068e9173eac46ba3c476ab6d74e86
                                                                                                                              • Instruction ID: da490879e7f7349399ede81a8a5137e6d3253ac756d2c41856d1ecccf98340c1
                                                                                                                              • Opcode Fuzzy Hash: fa214d7008065ca1ca5b6c40969339079b8068e9173eac46ba3c476ab6d74e86
                                                                                                                              • Instruction Fuzzy Hash: E451A130911119ABCF04EBF5CC56BEEBBB5AF14318F10026EF516B72D2DA782A04C769
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00458292 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 120COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00458299
                                                                                                                                • Part of subcall function 004C32AC: ActivateActCtx.KERNEL32(?,?), ref: 004C32CF
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • _strlen.LIBCMT ref: 00458366
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$Activate_strlen
                                                                                                                              • String ID: MSG_CLOSING_CONNECTION$MSG_CONNECTED_TO_SERVER$MSG_CONNECTING_TO_SERVER$MSG_CONNECTION_CLOSED$MSG_HOST_NAME_RESOLVED$MSG_REDIRECTING$MSG_RESOLVING_HOST_NAME$MSG_STATUS_HANDLE_CLOSING$MSG_STATUS_HANDLE_CREATED$MSG_STATUS_REQUEST_COMPLETE
                                                                                                                              • API String ID: 1677763243-282160135
                                                                                                                              • Opcode ID: 57cc1ab846bcda8443e760bc9b82ca43f50dc2129d15bb35378458df7ea3e0d7
                                                                                                                              • Instruction ID: b293a6f9f0b33b19a40e04def689747989984da8e08655cb4b614111275d4468
                                                                                                                              • Opcode Fuzzy Hash: 57cc1ab846bcda8443e760bc9b82ca43f50dc2129d15bb35378458df7ea3e0d7
                                                                                                                              • Instruction Fuzzy Hash: 9841D931800124DBCB24AE59C4456AF7A65AF12B61F14817FFC05BB392CE7D9E48CB9A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004485DD Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 004B8BAB: GetParent.USER32(?), ref: 004B8BC0
                                                                                                                                • Part of subcall function 004B8BAB: GetParent.USER32(?), ref: 004B8BCF
                                                                                                                                • Part of subcall function 004B8BAB: GetParent.USER32(?), ref: 004B8BE5
                                                                                                                                • Part of subcall function 004B8BAB: SetFocus.USER32(?,00000000), ref: 004B8BFB
                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00448617
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 00448642
                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0044865C
                                                                                                                              • GetSubMenu.USER32(?,00000000), ref: 00448665
                                                                                                                              • SendMessageA.USER32(?,?,?,?), ref: 00448688
                                                                                                                              • TrackPopupMenuEx.USER32(?,00000182,?,?,?,00000000), ref: 004486A3
                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004486B8
                                                                                                                              • PostMessageA.USER32(?,00000111,?,00000000), ref: 004486D0
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Rect$InvalidateParent$MenuMessage$FocusPopupPostSendTrackWindow
                                                                                                                              • String ID: open
                                                                                                                              • API String ID: 577789284-2758837156
                                                                                                                              • Opcode ID: 7621bca52037fc5e48a5be5535deea00ba2356ce8c3f08fdd1756df9b167aa18
                                                                                                                              • Instruction ID: 266640d36b1d0ad21ae578210f4ff98eb18b192f7d1b272ed0120053fcd0249c
                                                                                                                              • Opcode Fuzzy Hash: 7621bca52037fc5e48a5be5535deea00ba2356ce8c3f08fdd1756df9b167aa18
                                                                                                                              • Instruction Fuzzy Hash: 5E412771800608AFDB219FA5DC49AEFFFF9FF89700F10441EE64AA2250DB755A41DB64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0047C1ED Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 92COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                              • IsWindow.USER32(00000000), ref: 0047C235
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 0047C24C
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000), ref: 0047C255
                                                                                                                              • lua_pushstring.LUA5.1(?,Width,?,00000000,00000000), ref: 0047C260
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,00000000,00000000), ref: 0047C278
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,00000000,00000000), ref: 0047C280
                                                                                                                              • lua_pushstring.LUA5.1(?,Height,?,000000FD,?,?,00000000,00000000), ref: 0047C28B
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,?,?,?,?,?,00000000,00000000), ref: 0047C2A3
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,?,?,?,?,00000000,00000000), ref: 0047C2AB
                                                                                                                              • lua_pushnil.LUA5.1(?), ref: 0047C2CD
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_pushstring.$Windowlua_pushnumber.lua_remove.lua_settable.$H_prolog3Rectlua_createtable.lua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushnil.lua_type.
                                                                                                                              • String ID: Height$Width
                                                                                                                              • API String ID: 1097245944-1965321196
                                                                                                                              • Opcode ID: fc2665bdb6ec03b2c7a7927188f98645c1d1364426276bd34cc7ddf276052971
                                                                                                                              • Instruction ID: 8741271c9f1a0be4ceedf802db20e2736d0531f486da7431057a2719d3a6f74d
                                                                                                                              • Opcode Fuzzy Hash: fc2665bdb6ec03b2c7a7927188f98645c1d1364426276bd34cc7ddf276052971
                                                                                                                              • Instruction Fuzzy Hash: 08215271C04515BACB00AFAB8C46DEFBBB8EF45305F10415EF410A6192DB786B018BAE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0045E3D4 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 41COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • luaL_openlib.LUA5.1(?,Dialog,?,00000000), ref: 0045E478
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: L_openlib.
                                                                                                                              • String ID: ComboBox$Dialog$FileBrowse$FolderBrowse$Input$MaskedInput$Message$PasswordInput$SplashImage$TimedMessage
                                                                                                                              • API String ID: 3969157368-2997221968
                                                                                                                              • Opcode ID: 709ede42ecfb3ba58cce8c849a7c569857a7f2c17d59cdc64646c49af6259e12
                                                                                                                              • Instruction ID: 0225d071e258d977ffe7e67952668b86ec97579c40bd9db43188a44d647f5fe9
                                                                                                                              • Opcode Fuzzy Hash: 709ede42ecfb3ba58cce8c849a7c569857a7f2c17d59cdc64646c49af6259e12
                                                                                                                              • Instruction Fuzzy Hash: 2C11A4B0D012899B8B14EFD5E94949DBFF1EF46309B50811AD4156B206DBF89A0DCF58
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00480390 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 41COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • luaL_openlib.LUA5.1(00000005,HTTP,?,00000000), ref: 00480434
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: L_openlib.
                                                                                                                              • String ID: Download$DownloadSecure$GetConnectionState$GetFileSize$GetFileSizeSecure$GetHTTPErrorInfo$HTTP$Submit$SubmitSecure$TestConnection
                                                                                                                              • API String ID: 3969157368-168128308
                                                                                                                              • Opcode ID: 2ded5155874c10e9db52bdc877c34f1e81e7301e33b5675a6a3fa94953521bcd
                                                                                                                              • Instruction ID: 4116e2d36faf3f4323e369a3ea931c524ac1f5f5fa8b7122bcad7448b82124d8
                                                                                                                              • Opcode Fuzzy Hash: 2ded5155874c10e9db52bdc877c34f1e81e7301e33b5675a6a3fa94953521bcd
                                                                                                                              • Instruction Fuzzy Hash: 1511DCB0D04249AA8B04EFD5DD894DDBFF5EB0A308F54805EE4197B200D7B85E098F98
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00420480 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 386COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: BackupFile$DecrementUsageCount$File$File added to uninstall list: $Filename$FontDesc$UninstallFiles$UnregisterCOM$UnregisterFont
                                                                                                                              • API String ID: 431132790-3341397462
                                                                                                                              • Opcode ID: 27352409fcd1095a7f4791ae86641fdbe7772040a0ff8fd6f20cfd7fff37b31c
                                                                                                                              • Instruction ID: 3f0bbbb89b0eedb2c5d4205137c6be9a879ec4627445e3937c284754dd5d5763
                                                                                                                              • Opcode Fuzzy Hash: 27352409fcd1095a7f4791ae86641fdbe7772040a0ff8fd6f20cfd7fff37b31c
                                                                                                                              • Instruction Fuzzy Hash: 55E185B0A00715AFCF24EF65D8919AEBBF5BF04704B00452FF156A7782D738A944CB99
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0043641B Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 334windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _strlen.LIBCMT ref: 0043645D
                                                                                                                              • MessageBoxA.USER32(?,00000000,?), ref: 004365AC
                                                                                                                                • Part of subcall function 00403F67: __EH_prolog3.LIBCMT ref: 00403F71
                                                                                                                              • _strlen.LIBCMT ref: 004366EB
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _strlen$H_prolog3Message
                                                                                                                              • String ID: %s%s$ERR_CREATE_FOLDER$ERR_MEMORY_ALLOCATE_DECOMPRESS$Extract dependency file: $MSG_ERROR$x
                                                                                                                              • API String ID: 1482627676-3512040138
                                                                                                                              • Opcode ID: ef614544570dfb15f242129696be554e3b6c460235b131232ce18ba5d0adb352
                                                                                                                              • Instruction ID: 9c84799ddd4049540f47d508d98b5116ec5f7dcf9f8d4a7f8fb4de6df4373ee4
                                                                                                                              • Opcode Fuzzy Hash: ef614544570dfb15f242129696be554e3b6c460235b131232ce18ba5d0adb352
                                                                                                                              • Instruction Fuzzy Hash: BBE16DB09001199FDB24DB69CC81DEEB7B5AF09318F0041EEF299A7291DBB856C4CF59
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0048C0C4 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 163COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0048C0CB
                                                                                                                                • Part of subcall function 004150D3: __EH_prolog3.LIBCMT ref: 004150DA
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415183
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415210
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415231
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415255
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415275
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 004152C8
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 004152F3
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415322
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 0041534C
                                                                                                                                • Part of subcall function 0048A5E6: __EH_prolog3.LIBCMT ref: 0048A5ED
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _strlen$H_prolog3$Exception@8Throw
                                                                                                                              • String ID: BannerStyle$Controls$Events$Languages$Name$OverrideProjTheme$Screen$TemplateName$Type
                                                                                                                              • API String ID: 32230-2848213552
                                                                                                                              • Opcode ID: 1a4803a54e5577d08e9a5b7fe3cef438beab834c4f31f35237efc29e5bb3b348
                                                                                                                              • Instruction ID: 8945123a02e45ac0537e730ba8b8f2ea55a2cbeb62d65e47211fefc2c7d08795
                                                                                                                              • Opcode Fuzzy Hash: 1a4803a54e5577d08e9a5b7fe3cef438beab834c4f31f35237efc29e5bb3b348
                                                                                                                              • Instruction Fuzzy Hash: 73515270700604ABDF14BFA2CC96FAF7766AF84704F14482EB5165B2D2CA78DD44CB68
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0043C227 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 149COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0043C22E
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0043C2C6
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0043C33E
                                                                                                                              • lua_settop.LUA5.1(00000000,00000000,00000000,00000000,00000000,00000008,00404284,?,?,00000010,00000000,00000000,00000000,00000000,000000B8), ref: 0043C35B
                                                                                                                              • lua_getfield.LUA5.1(00000000,FFFFD8EE,_tblErrorMessages,00000000,00000000,00000000,00000000,00000000,00000008,00404284,?,?,00000010,00000000,00000000,00000000), ref: 0043C36B
                                                                                                                              • lua_pushnumber.LUA5.1(00000000), ref: 0043C37A
                                                                                                                              • lua_pushstring.LUA5.1(00000000,00000000), ref: 0043C3A6
                                                                                                                              • lua_settable.LUA5.1(00000000,000000FD), ref: 0043C3BB
                                                                                                                              • lua_settop.LUA5.1(00000000,000000FE,00000000,000000FD), ref: 0043C3C3
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$lua_settop.$lua_getfield.lua_pushnumber.lua_pushstring.lua_settable.
                                                                                                                              • String ID: _tblErrorMessages
                                                                                                                              • API String ID: 1535972423-1976560367
                                                                                                                              • Opcode ID: 9c2edc19b31d900021f5398fb18231fba6807c1c686a60488621cf3d0cb3882f
                                                                                                                              • Instruction ID: 3f372db97cb08f57c7b2e31498ebfdbc3dbcdbe9c7c39bbba98084ddc76a6b58
                                                                                                                              • Opcode Fuzzy Hash: 9c2edc19b31d900021f5398fb18231fba6807c1c686a60488621cf3d0cb3882f
                                                                                                                              • Instruction Fuzzy Hash: 8B51B4319005159BCB14BFA5CC92BAE7761AF54328F14825EFC25BB3D2DB38EA01C799
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0042416C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 69libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00424173
                                                                                                                              • LoadLibraryA.KERNEL32(?,00000010), ref: 00424189
                                                                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0042419B
                                                                                                                              • GetLastError.KERNEL32 ref: 004241A7
                                                                                                                              • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 004241C3
                                                                                                                              • GetLastError.KERNEL32 ref: 004241CD
                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 004241DC
                                                                                                                              • GetLastError.KERNEL32 ref: 00424228
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLastLibrary$Load$AddressFreeH_prolog3Proc
                                                                                                                              • String ID: DllRegisterServer$Error 0x%08x: %s
                                                                                                                              • API String ID: 2791918730-2078401348
                                                                                                                              • Opcode ID: fe21490a5083d16746194e94ca339dec9b360b6bb9569119aae99aecd7e250b7
                                                                                                                              • Instruction ID: ca29723023c3009df0fcd32cf0205036390a2c6323b71ad5980b07a26fb1433d
                                                                                                                              • Opcode Fuzzy Hash: fe21490a5083d16746194e94ca339dec9b360b6bb9569119aae99aecd7e250b7
                                                                                                                              • Instruction Fuzzy Hash: 1421D474A04224ABCB11EFB0EC499BE7BBAFF94314F50481BF81297250DB744A41CB50
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00496450 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00496457
                                                                                                                              • GetSystemMetrics.USER32(00000006), ref: 004964F4
                                                                                                                              • GetSystemMetrics.USER32(00000006), ref: 00496570
                                                                                                                              • GetSystemMetrics.USER32(00000006), ref: 004965ED
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0043A2C6: __EH_prolog3.LIBCMT ref: 0043A2CD
                                                                                                                                • Part of subcall function 004AADE0: __EH_prolog3.LIBCMT ref: 004AADE7
                                                                                                                                • Part of subcall function 0041D1E5: __EH_prolog3.LIBCMT ref: 0041D1EC
                                                                                                                                • Part of subcall function 0041D1E5: GetDC.USER32(?), ref: 0041D1FE
                                                                                                                                • Part of subcall function 0041D1E5: ReleaseDC.USER32(?,?), ref: 0041D24B
                                                                                                                              • GetSystemMetrics.USER32(00000006), ref: 0049666A
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3MetricsSystem$H_prolog3_Release
                                                                                                                              • String ID: IDS_CTRL_BUTTON_BACK$IDS_CTRL_BUTTON_CANCEL$IDS_CTRL_BUTTON_HELP$IDS_CTRL_BUTTON_NEXT
                                                                                                                              • API String ID: 2337561883-2679619293
                                                                                                                              • Opcode ID: aea3f30f620ee430f4cd490c2cef775861516a6c3cf0df4e124f3f5df823fb76
                                                                                                                              • Instruction ID: dacb96f3d907ff78cd6654527cf1c10a838a91f693e4c3db82b083d2d4a040a7
                                                                                                                              • Opcode Fuzzy Hash: aea3f30f620ee430f4cd490c2cef775861516a6c3cf0df4e124f3f5df823fb76
                                                                                                                              • Instruction Fuzzy Hash: 81714171D10209ABDF04EFA9D942AEEBBB9AF09714F15006EF405B7281DB35AD04CB79
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00440437 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 191COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0044043E
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0043FE81: __EH_prolog3.LIBCMT ref: 0043FE88
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_malloc
                                                                                                                              • String ID: -- Call this function at the end after all other On Shutdown actions.-- This will cause the system to be rebooted, if needed.-- Defined in _SUF70_Global_Functions.lua-- Do not edit this script unless you know what your are doingg_HandleSystemReboot()$-- These actions are performed is an error occurs while the setup is uninstalling files.$On Post Uninstall$On Pre Uninstall$On Shutdown$On Startup$On Uninstall Error$number e_ErrorCode, string e_ErrorMsgID
                                                                                                                              • API String ID: 1683881009-2834748795
                                                                                                                              • Opcode ID: 8895d1a870984f1ff0115e0c73eab63ac1f5b8206e8e41c9ac30c498ff878175
                                                                                                                              • Instruction ID: 5ee4dc75249451a88e22b05e6e2831f9c3373cd36716a81e22132418c7824edc
                                                                                                                              • Opcode Fuzzy Hash: 8895d1a870984f1ff0115e0c73eab63ac1f5b8206e8e41c9ac30c498ff878175
                                                                                                                              • Instruction Fuzzy Hash: 08611971D00205A6EF14EFA589926EE76B59F84714F04423FE916B72D2DF3C5A02CBA8
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0041265B Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __fassign__mbclen_strlen$H_prolog3_strnlen
                                                                                                                              • String ID: <&>$<&>'"
                                                                                                                              • API String ID: 1644595256-3047967720
                                                                                                                              • Opcode ID: 2eb814653d6967a6e65e73a8d62414f0a4aa7a28e0d6bc5c03392ac5c5837d2c
                                                                                                                              • Instruction ID: 45206bfe4ad5b1227749fb290dde60c0ecc0ca1701281b812fef9b253ded9fd5
                                                                                                                              • Opcode Fuzzy Hash: 2eb814653d6967a6e65e73a8d62414f0a4aa7a28e0d6bc5c03392ac5c5837d2c
                                                                                                                              • Instruction Fuzzy Hash: DD510171C4010A8BCF24AF68DA456EFBB75BE46310F54041BE460F2291D7BC9DA7876D
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0049A27D Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 136COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0049A284
                                                                                                                                • Part of subcall function 00496368: __EH_prolog3.LIBCMT ref: 0049636F
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0048CD71: __EH_prolog3.LIBCMT ref: 0048CD78
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                              Strings
                                                                                                                              • IDS_CTRL_STATICTEXT_BODY, xrefs: 0049A310
                                                                                                                              • Total space required: %SpaceRequired%, xrefs: 0049A2CB
                                                                                                                              • IDS_CTRL_CATEGORY_DESCRIPTION_%.3d, xrefs: 0049A3BF
                                                                                                                              • Category%.3d, xrefs: 0049A366
                                                                                                                              • IDS_CTRL_STATICTEXT_SPACEREQUIRED, xrefs: 0049A2DE
                                                                                                                              • IDS_CTRL_STATICTEXT_TOPINSTRUCTIONS, xrefs: 0049A2AD
                                                                                                                              • Please select the program features that you want to install., xrefs: 0049A299
                                                                                                                              • IDS_CTRL_CATEGORY_NAME_%.3d, xrefs: 0049A357
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_memcpy_s
                                                                                                                              • String ID: Category%.3d$IDS_CTRL_CATEGORY_DESCRIPTION_%.3d$IDS_CTRL_CATEGORY_NAME_%.3d$IDS_CTRL_STATICTEXT_BODY$IDS_CTRL_STATICTEXT_SPACEREQUIRED$IDS_CTRL_STATICTEXT_TOPINSTRUCTIONS$Please select the program features that you want to install.$Total space required: %SpaceRequired%
                                                                                                                              • API String ID: 1663610674-3265531184
                                                                                                                              • Opcode ID: 4b89a72568a3e44c7cc7d66b2523adec20b6c82185f28b87b13eba42f16980ff
                                                                                                                              • Instruction ID: 7013d80e246c6d59c9ed0f0603be6d7f2ecc3302ca025aeb199a268cd1795471
                                                                                                                              • Opcode Fuzzy Hash: 4b89a72568a3e44c7cc7d66b2523adec20b6c82185f28b87b13eba42f16980ff
                                                                                                                              • Instruction Fuzzy Hash: 28415471D00209AFCF04EFA9CD53AAE7BB5AF45314F10461EF025772D2CB385A018BA9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00482191 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 108libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00482198
                                                                                                                              • GetFileAttributesA.KERNEL32(?,00000008,004260E8,?,00000000,00000040,0042D002,?,00000004,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0048220C
                                                                                                                              • LoadLibraryA.KERNEL32(?,?,00000000,00000040,0042D002,?,00000004,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 0048221A
                                                                                                                              • GetProcAddress.KERNEL32(00000000,irPlg_Action_RegisterActions), ref: 0048223E
                                                                                                                              • GetProcAddress.KERNEL32(00000000,irPlg_GetSDKVersion), ref: 00482249
                                                                                                                              • lua_settop.LUA5.1(00000000,00000000,?,00000000,00000040,0042D002,?,00000004,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 00482280
                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,00000000,00000040,0042D002,?,00000004,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004822C9
                                                                                                                              Strings
                                                                                                                              • irPlg_GetSDKVersion, xrefs: 00482240
                                                                                                                              • irPlg_Action_RegisterActions, xrefs: 00482238
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressLibraryProc$AttributesFileFreeH_prolog3Loadlua_settop.
                                                                                                                              • String ID: irPlg_Action_RegisterActions$irPlg_GetSDKVersion
                                                                                                                              • API String ID: 3972953969-3379117294
                                                                                                                              • Opcode ID: 9648d20a421a73487f6195061607b826dca88f536efd9a51142e199f19660cdd
                                                                                                                              • Instruction ID: 60f7698ad5c936744705cd1f6c2e3e9859f774ebc44bd8c6defc04e5863b7075
                                                                                                                              • Opcode Fuzzy Hash: 9648d20a421a73487f6195061607b826dca88f536efd9a51142e199f19660cdd
                                                                                                                              • Instruction Fuzzy Hash: 7F411671500205DBCF10FFA4CE846AFBBB1BF40314F204A2FE52663291CBB89A41CB55
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00496368 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 69COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0049636F
                                                                                                                                • Part of subcall function 0048D9F9: __EH_prolog3.LIBCMT ref: 0048DA00
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0048CD71: __EH_prolog3.LIBCMT ref: 0048CD78
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: < Back$Cancel$Help$IDS_CTRL_BUTTON_BACK$IDS_CTRL_BUTTON_CANCEL$IDS_CTRL_BUTTON_HELP$IDS_CTRL_BUTTON_NEXT$Next >
                                                                                                                              • API String ID: 431132790-298686068
                                                                                                                              • Opcode ID: 969f29a5ecc8bc231155cfd21fa1f3b2198c7f1bfc87c498c0e8f376718f5f14
                                                                                                                              • Instruction ID: 15ee14df58623d4d9940f5b22fc6f43e3b37781d71e8442a90612c588c1ae9e4
                                                                                                                              • Opcode Fuzzy Hash: 969f29a5ecc8bc231155cfd21fa1f3b2198c7f1bfc87c498c0e8f376718f5f14
                                                                                                                              • Instruction Fuzzy Hash: D2215770A54705BBCF08BF99C95395D7EB59F46B24F20471EB025732D1CB781A018ABA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00646590 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 65COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 006465E6
                                                                                                                              • RtlInitializeCriticalSection.NTDLL(00767670), ref: 00646657
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CriticalInitializeSection_memset
                                                                                                                              • String ID: COMCTL32.DLL$GDI32.DLL$KERNEL32.DLL$MSCTF.DLL$SHLWAPI.DLL$USER32.DLL$WININET.DLL
                                                                                                                              • API String ID: 453477542-3335732458
                                                                                                                              • Opcode ID: e7117a400a0d3b99813a4fd02da3a1a1c78a6efa2d883ce0c40b0ec455d5899e
                                                                                                                              • Instruction ID: 650f7a9a6abedcde619ee26e5918c06273316d013f6f6d212b940610e05af3da
                                                                                                                              • Opcode Fuzzy Hash: e7117a400a0d3b99813a4fd02da3a1a1c78a6efa2d883ce0c40b0ec455d5899e
                                                                                                                              • Instruction Fuzzy Hash: 8E116071790B14ABDB55EB54DC13F6D76EBAB46F04F00810DF616AB2C1DBB83900468E
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0047C10F Relevance: 15.1, APIs: 10, Instructions: 83COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                              • IsWindow.USER32(00000000), ref: 0047C14F
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 0047C166
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000), ref: 0047C16F
                                                                                                                              • lua_pushstring.LUA5.1(?,0069937C,?,00000000,00000000), ref: 0047C17A
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,00000000,00000000), ref: 0047C189
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,00000000,00000000), ref: 0047C191
                                                                                                                              • lua_pushstring.LUA5.1(?,00699378,?,000000FD,?,?,00000000,00000000), ref: 0047C19C
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,?,?,?,?,?,00000000,00000000), ref: 0047C1AB
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,?,?,?,?,00000000,00000000), ref: 0047C1B3
                                                                                                                              • lua_pushnil.LUA5.1(?), ref: 0047C1D5
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_pushstring.$Windowlua_pushnumber.lua_remove.lua_settable.$Rectlua_createtable.lua_getfield.lua_gettable.lua_pcall.lua_pushnil.lua_type.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2785713775-0
                                                                                                                              • Opcode ID: 7c74fcd30a2da32914f66b1cbffbd6c7df6edadee0fa8d1cc4744f2b3700b2cd
                                                                                                                              • Instruction ID: f4ed8d39498f739ee9eac02e542bd623d53c035cd1c74215fbc693553a9d1710
                                                                                                                              • Opcode Fuzzy Hash: 7c74fcd30a2da32914f66b1cbffbd6c7df6edadee0fa8d1cc4744f2b3700b2cd
                                                                                                                              • Instruction Fuzzy Hash: F3216071808515BADB01BF6A8C46DEF7AB8EF46315F10011FF405A1193DB796B0286BA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005DC410 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 380COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 005DC41A
                                                                                                                                • Part of subcall function 005F77A3: IsBadHugeWritePtr.KERNEL32(00000000,?), ref: 005F77E1
                                                                                                                              • _memset.LIBCMT ref: 005DC88B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3_HugeWrite_memset
                                                                                                                              • String ID: $($B$M$\lv$^
                                                                                                                              • API String ID: 1514083307-1211750330
                                                                                                                              • Opcode ID: 3cc05cd3c345f053c3da581f0d6819f8f803837c825c7505514331f2f10be948
                                                                                                                              • Instruction ID: ebe2065a70eff08c5bec86504809b92a064ddffa36fe483375dc10a3c45fad23
                                                                                                                              • Opcode Fuzzy Hash: 3cc05cd3c345f053c3da581f0d6819f8f803837c825c7505514331f2f10be948
                                                                                                                              • Instruction Fuzzy Hash: 21F12CB190412A8BCF348F28CC947A9BFB5BB85305F1445DBE609A7391DB719E84CF19
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00404445 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 206COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 0040444F
                                                                                                                              • _malloc.LIBCMT ref: 00404499
                                                                                                                                • Part of subcall function 005B4B83: __FF_MSGBANNER.LIBCMT ref: 005B4B9C
                                                                                                                                • Part of subcall function 005B4B83: __NMSG_WRITE.LIBCMT ref: 005B4BA3
                                                                                                                                • Part of subcall function 005B4B83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 005B4BC8
                                                                                                                              • _free.LIBCMT ref: 004044F1
                                                                                                                                • Part of subcall function 004C1EF8: GetFileSize.KERNEL32(?,00000001,?,?,?,?,0040389E,EDB88320,?,00008020,00000000,00000024), ref: 004C1F09
                                                                                                                                • Part of subcall function 004C1EF8: GetLastError.KERNEL32(00008DD8,?,?,?,?,0040389E,EDB88320,?,00008020,00000000,00000024), ref: 004C1F1E
                                                                                                                                • Part of subcall function 004C1EF8: GetLastError.KERNEL32(?,?,?,?,?,0040389E,EDB88320,?,00008020,00000000,00000024), ref: 004C1F27
                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080,?,00008020,00000000,00000000,00000084), ref: 00404515
                                                                                                                              • _free.LIBCMT ref: 00404534
                                                                                                                                • Part of subcall function 005B4C17: RtlFreeHeap.NTDLL(00000000,00000000,?,005C092F,00000000,?,005C4E2D,?,00000001,?,?,005C4363,00000018,00738D88,0000000C,005C43F3), ref: 005B4C2D
                                                                                                                                • Part of subcall function 005B4C17: GetLastError.KERNEL32(00000000,?,005C092F,00000000,?,005C4E2D,?,00000001,?,?,005C4363,00000018,00738D88,0000000C,005C43F3,?), ref: 005B4C3F
                                                                                                                                • Part of subcall function 004C1FA7: FindCloseChangeNotification.KERNEL32(?,?,00008DD8,004038C7,EDB88320,?,00008020,00000000,00000024), ref: 004C1FB8
                                                                                                                                • Part of subcall function 004C1FA7: GetLastError.KERNEL32(?,?,00008DD8,004038C7,EDB88320,?,00008020,00000000,00000024), ref: 004C1FDC
                                                                                                                                • Part of subcall function 004C213C: __EH_prolog3_catch_GS.LIBCMT ref: 004C2146
                                                                                                                                • Part of subcall function 004278AD: __EH_prolog3.LIBCMT ref: 004278B4
                                                                                                                              Strings
                                                                                                                              • INSTALL_STAGE_INSTALLING_FILES, xrefs: 0040468A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLast$FileHeap_free$AllocateAttributesChangeCloseFindFreeH_prolog3H_prolog3_catchH_prolog3_catch_NotificationSize_malloc
                                                                                                                              • String ID: INSTALL_STAGE_INSTALLING_FILES
                                                                                                                              • API String ID: 2178687078-3727005748
                                                                                                                              • Opcode ID: 3f080b6ba11eba8dd17cb64c249b1465a0a373d1d6e90dbb3ee94ad0acd6a9f3
                                                                                                                              • Instruction ID: f288ca90aa31a7394a7700207a16a75297dd20f140c9c7a058658ba951c4de41
                                                                                                                              • Opcode Fuzzy Hash: 3f080b6ba11eba8dd17cb64c249b1465a0a373d1d6e90dbb3ee94ad0acd6a9f3
                                                                                                                              • Instruction Fuzzy Hash: D4815970D00219EBCF14EFA5C991AEDBBB1BF49314F20816EE525B3292EB785A44CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0041C491 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 125COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0041C498
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 004410F9: __EH_prolog3.LIBCMT ref: 00441100
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: BackupFile$DecrementUsageCount$File$Filename$FontDesc$UnregisterCOM$UnregisterFont
                                                                                                                              • API String ID: 431132790-3749589439
                                                                                                                              • Opcode ID: 5cb8527918d772ac1ae0efbb5a872338a0c4fd5140d61a6e8293b8928bf43b19
                                                                                                                              • Instruction ID: 9d263249d14f005a7befdbe2ec71271420f83eb7f3aabcd341a4de16a3814c01
                                                                                                                              • Opcode Fuzzy Hash: 5cb8527918d772ac1ae0efbb5a872338a0c4fd5140d61a6e8293b8928bf43b19
                                                                                                                              • Instruction Fuzzy Hash: 4A41AFB2800508ABDB04EFA1DD929FD7778EF11324F60436EB436A71E1EB746B488795
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0041C326 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 105COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0041C32D
                                                                                                                                • Part of subcall function 004150D3: __EH_prolog3.LIBCMT ref: 004150DA
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 004414FE: __EH_prolog3.LIBCMT ref: 00441505
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: BackupFile$DecrementUsageCount$File$Filename$FontDesc$UnregisterCOM$UnregisterFont
                                                                                                                              • API String ID: 431132790-3749589439
                                                                                                                              • Opcode ID: 7539b8cbffacafb98a22847d250950b45e5a82240905a9fdc9c189d610be773a
                                                                                                                              • Instruction ID: 3f72acdb672835a07ae89cdfb03212aedbf373820b14fc6704ee29c0b555f672
                                                                                                                              • Opcode Fuzzy Hash: 7539b8cbffacafb98a22847d250950b45e5a82240905a9fdc9c189d610be773a
                                                                                                                              • Instruction Fuzzy Hash: 664195B1900108EBDB04EFA5CD92EEE7779EF50318F10452EB525672E2DB786748C798
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0045A33B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0045A342
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 00459710: __EH_prolog3.LIBCMT ref: 00459717
                                                                                                                              • GetFileAttributesA.KERNEL32(?), ref: 0045A3B2
                                                                                                                              • lua_getfield.LUA5.1(?,FFFFD8EE,dofile), ref: 0045A3CF
                                                                                                                              • lua_type.LUA5.1(?,000000FF,?,FFFFD8EE,dofile), ref: 0045A3D7
                                                                                                                              • lua_pushstring.LUA5.1(?,?), ref: 0045A3E8
                                                                                                                              • lua_pcall.LUA5.1(?,00000001,00000000,00000000,?,?), ref: 0045A3F4
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$lua_getfield.lua_pcall.lua_pushstring.lua_remove.lua_type.$AttributesFilelua_gettable.lua_gettop.lua_tolstring.
                                                                                                                              • String ID: dofile
                                                                                                                              • API String ID: 1843175922-2485052799
                                                                                                                              • Opcode ID: b39950976c1a19d1b5cd1c175ad07a9c61bbffb7debacc19bc1e0ed5fb0ba619
                                                                                                                              • Instruction ID: 0a65f4c66ae19f5b5882bc3f81d4754bf9e2002989c93603c923f483c7c726e5
                                                                                                                              • Opcode Fuzzy Hash: b39950976c1a19d1b5cd1c175ad07a9c61bbffb7debacc19bc1e0ed5fb0ba619
                                                                                                                              • Instruction Fuzzy Hash: F321B631818511A6DB15A7A9DC46FEE36249F1232EF60031FF421B62D3DF7C6A1582AE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004A2315 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 59COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004A231C
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: Button$Button %.2d$GroupBox$Insert your text here...$Option$Option %.2d$Your text goes here.
                                                                                                                              • API String ID: 431132790-2605563474
                                                                                                                              • Opcode ID: 8251b2babbee11e7f2369678ad3dbb68e729c6a684f0d1c8b9071e0d7146f9e3
                                                                                                                              • Instruction ID: e0603779bd5550da5164d39b48d0ed04ce2771eda240f7afc5deedcd14d07fd1
                                                                                                                              • Opcode Fuzzy Hash: 8251b2babbee11e7f2369678ad3dbb68e729c6a684f0d1c8b9071e0d7146f9e3
                                                                                                                              • Instruction Fuzzy Hash: A501C620240705AACF14AE3C8E4AB7E26A2FB73350F914117AC05662DACBFD9C00AB1D
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0047C07F Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 35COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • luaL_openlib.LUA5.1(00000005,UninstallData,00000005,00000000), ref: 0047C0F9
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: L_openlib.
                                                                                                                              • String ID: AddItem$GetConfigurationFile$GetItem$GetItemList$RemoveItem$SetConfigurationFile$UninstallData
                                                                                                                              • API String ID: 3969157368-271183543
                                                                                                                              • Opcode ID: 62edbdbb42dab6a155e021b74246dc72a6b1ce1cc67482e36e4bd1decde3074f
                                                                                                                              • Instruction ID: 6e0edccd8660a2da1ed03675fa6f6f88dc6d9ced741e864bbbbf9b88a24124ba
                                                                                                                              • Opcode Fuzzy Hash: 62edbdbb42dab6a155e021b74246dc72a6b1ce1cc67482e36e4bd1decde3074f
                                                                                                                              • Instruction Fuzzy Hash: 4801E5B0D00208AB8B04EFA9D84A5DEBFF1FB09308F50805EE2257B240D7B45A088F98
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004703A7 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242sleepCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 004703B1
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_type.LUA5.1(?,00000002), ref: 004703F7
                                                                                                                              • lua_type.LUA5.1(?,00000002), ref: 00470406
                                                                                                                              • lua_type.LUA5.1(?,00000003), ref: 0047042C
                                                                                                                              • lua_type.LUA5.1(?,00000003), ref: 0047043A
                                                                                                                              • Sleep.KERNEL32(000003E8,0000003B,00000003,?,?,?,?,?,?,?,?,?,?,?,?,00000084), ref: 004705BF
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                                • Part of subcall function 00446890: __EH_prolog3.LIBCMT ref: 00446897
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_type.$H_prolog3$lua_remove.$H_prolog3_Sleep_strlenlua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushstring.lua_tolstring.
                                                                                                                              • String ID: M
                                                                                                                              • API String ID: 3614587214-2059362058
                                                                                                                              • Opcode ID: be471aeb53e839bf58b28c02aaabb37e928137aed570015a3240e1497b296c42
                                                                                                                              • Instruction ID: 3728695d9d4962ceb0212351466967377c2e6ed9461044f03b86475cd974f2c3
                                                                                                                              • Opcode Fuzzy Hash: be471aeb53e839bf58b28c02aaabb37e928137aed570015a3240e1497b296c42
                                                                                                                              • Instruction Fuzzy Hash: C581D771801218EEDF14EBB5C842BEEB778AF11318F14415FF419B62C2DB786A48CB69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004981EA Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 184COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004981F1
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: Cols$DefaultSelection$Distribute$NumRadioButtons$Radio%d$Variable
                                                                                                                              • API String ID: 431132790-4095165351
                                                                                                                              • Opcode ID: c2b6eddaed5b3fd182b27a59a6a3f0fc59147641230c457f8cfdbaeaee5fcdf1
                                                                                                                              • Instruction ID: 85caaae517219542ab53a5fe66aa14c2fa75bc984cc2780cd67df8686c3d7064
                                                                                                                              • Opcode Fuzzy Hash: c2b6eddaed5b3fd182b27a59a6a3f0fc59147641230c457f8cfdbaeaee5fcdf1
                                                                                                                              • Instruction Fuzzy Hash: 0F615FB09007059FCB28EF69C4915AEBBF5BF09704700866FF45A97391DB38A984CF99
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004C8391 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 182COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memset$H_prolog3_Version__cftof_malloc
                                                                                                                              • String ID: X
                                                                                                                              • API String ID: 3881372888-3081909835
                                                                                                                              • Opcode ID: 5c1f342bd38fab7305d6dd29c7af67285cbc6aa16d3a4a553cd85e6c80ce766c
                                                                                                                              • Instruction ID: 3dddf3ba3365c053c1b5bd02feaf2b7d22c48abfa59a57b36f1d42efd80d5f59
                                                                                                                              • Opcode Fuzzy Hash: 5c1f342bd38fab7305d6dd29c7af67285cbc6aa16d3a4a553cd85e6c80ce766c
                                                                                                                              • Instruction Fuzzy Hash: 058156B4A007059FDB60DF64C980F9ABBE5BF49304F0048AEE69E97342DB74A941CF16
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0045A0A4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124windowtimeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0045A0AB
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                              • timeGetTime.WINMM ref: 0045A0D9
                                                                                                                              • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0045A0FB
                                                                                                                              • TranslateMessage.USER32(?), ref: 0045A225
                                                                                                                              • DispatchMessageA.USER32(?), ref: 0045A22F
                                                                                                                              • timeGetTime.WINMM ref: 0045A246
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Message$H_prolog3Timelua_remove.time$DispatchPeekTranslatelua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushstring.lua_type.
                                                                                                                              • String ID: MSG: %d
                                                                                                                              • API String ID: 1650870568-2058940224
                                                                                                                              • Opcode ID: 8377b9616bc8ecf7fb28a6b99add2d4c68e117aa9bb805eacfc2246317fdf117
                                                                                                                              • Instruction ID: 5e28e8bea970431b4f222c984526150a1f58ec6e66eb35009a1e11399dbb2ab5
                                                                                                                              • Opcode Fuzzy Hash: 8377b9616bc8ecf7fb28a6b99add2d4c68e117aa9bb805eacfc2246317fdf117
                                                                                                                              • Instruction Fuzzy Hash: B841A93090530A96DF265B54C88A7AF3E74EB46301F1C4767F810E27A2CA3E8D68C64B
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00492382 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 83COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              • IDS_CTRL_EDIT_MASK_%.2d, xrefs: 00492409
                                                                                                                              • IDS_CTRL_BUTTON_%.2d, xrefs: 004923EB
                                                                                                                              • IDS_CTRL_STATICTEXT_LABEL_%.2d, xrefs: 004923B0
                                                                                                                              • %%EditVar%.2d%%, xrefs: 00492445
                                                                                                                              • IDS_CTRL_EDIT_MASK_PLACE_HOLDER_%.2d, xrefs: 00492427
                                                                                                                              • IDS_CTRL_EDIT_%.2d, xrefs: 004923CE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: %%EditVar%.2d%%$IDS_CTRL_BUTTON_%.2d$IDS_CTRL_EDIT_%.2d$IDS_CTRL_EDIT_MASK_%.2d$IDS_CTRL_EDIT_MASK_PLACE_HOLDER_%.2d$IDS_CTRL_STATICTEXT_LABEL_%.2d
                                                                                                                              • API String ID: 431132790-342798587
                                                                                                                              • Opcode ID: ed74339dc557093fbc1c58841f77c1b7b47cad2cb26f3884eff4e7165c7ef69b
                                                                                                                              • Instruction ID: b210f4999fd141844df9ad3d887634f0ebef1f13d69b89acee0fc50b7c318d34
                                                                                                                              • Opcode Fuzzy Hash: ed74339dc557093fbc1c58841f77c1b7b47cad2cb26f3884eff4e7165c7ef69b
                                                                                                                              • Instruction Fuzzy Hash: BA2125F2801119AAC710EBB1DD56DEF73BCBF54704B44492EB912F20D1EA746A04CA68
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0042423A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76registrystringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00424244
                                                                                                                              • _memset.LIBCMT ref: 00424285
                                                                                                                              • lstrlen.KERNEL32(?,?,00000104), ref: 0042429A
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000), ref: 004242A4
                                                                                                                              • LoadTypeLib.OLEAUT32(?,?), ref: 004242B8
                                                                                                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004242E1
                                                                                                                                • Part of subcall function 00423B3A: FormatMessageA.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00423B5D
                                                                                                                                • Part of subcall function 00423B3A: lstrlen.KERNEL32(00000000), ref: 00423B6A
                                                                                                                                • Part of subcall function 00423A80: LocalFree.KERNEL32(?), ref: 00423A9E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Typelstrlen$ByteCharFormatFreeH_prolog3_LoadLocalMessageMultiRegisterWide_memset
                                                                                                                              • String ID: Error 0x%08x: %s
                                                                                                                              • API String ID: 3982301635-3892005284
                                                                                                                              • Opcode ID: 44c337775908e7dc423fff0d56c7b922ef8cffcc36339a877f08d69d126a9958
                                                                                                                              • Instruction ID: b61ab12b42b790a9f86b86eaf4957fe074c00d48a3ddd94d2c91edb3d763ca65
                                                                                                                              • Opcode Fuzzy Hash: 44c337775908e7dc423fff0d56c7b922ef8cffcc36339a877f08d69d126a9958
                                                                                                                              • Instruction Fuzzy Hash: 90313AB1941229ABCB209F90EC8DADEBBB8EF18304F5405EAE409A2251D7745E84CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004A61E6 Relevance: 12.2, APIs: 8, Instructions: 158windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • IsWindow.USER32(?), ref: 004A6205
                                                                                                                              • SendMessageA.USER32(?,00000184,00000000,00000000), ref: 004A623B
                                                                                                                              • SendMessageA.USER32(?,00000181,00000000,00000000), ref: 004A6294
                                                                                                                              • SendMessageA.USER32(?,0000019A,00000000,?), ref: 004A62C9
                                                                                                                              • SendMessageA.USER32(?,00000186,00000000,00000000), ref: 004A62E3
                                                                                                                              • SendMessageA.USER32(?,00000181,0045F337,00000000), ref: 004A6328
                                                                                                                              • SendMessageA.USER32(?,0000019A,0045F337,?), ref: 004A635D
                                                                                                                              • SendMessageA.USER32(?,00000186,0045F337,00000000), ref: 004A6387
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$Window
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2326795674-0
                                                                                                                              • Opcode ID: 274a9ee84c72baccb27ac6c9c238e4b32c94d44941ec9e085fade49059733933
                                                                                                                              • Instruction ID: b0fe18b823ab303c5591bd89f0bc0afbe9f98c28baf84205656f86f8c2cd5308
                                                                                                                              • Opcode Fuzzy Hash: 274a9ee84c72baccb27ac6c9c238e4b32c94d44941ec9e085fade49059733933
                                                                                                                              • Instruction Fuzzy Hash: 9E519076500604EFCF11DF94C880DAABBB5FF29300B1984AEEA468B661C735ED42DF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004CA34D Relevance: 12.1, APIs: 8, Instructions: 96COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$AtomDeleteGlobal$H_prolog3_catch_
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1844215989-0
                                                                                                                              • Opcode ID: 3b2f031b4351e73a8d5f33d45e904f7a1f5ab55102efb6eff2c15b7db513f175
                                                                                                                              • Instruction ID: cb549522318e155badbb5dfcc42aad4166856f29494f6d212789417360852530
                                                                                                                              • Opcode Fuzzy Hash: 3b2f031b4351e73a8d5f33d45e904f7a1f5ab55102efb6eff2c15b7db513f175
                                                                                                                              • Instruction Fuzzy Hash: 75319134601745CFCB64EFA4C899F69BBE1BF00708F50846EE5868B7A2C774AC40CB59
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00448396 Relevance: 12.1, APIs: 8, Instructions: 54COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DeleteObject$CursorDestroy_memset
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2159749563-0
                                                                                                                              • Opcode ID: 1bb1de66b6d37195813c383603afc1c77882aafae92278e93ef9fd055431e131
                                                                                                                              • Instruction ID: 4455f773275f34f58b88064a1529c11f0887643089591b20b5fafbf9d45d875a
                                                                                                                              • Opcode Fuzzy Hash: 1bb1de66b6d37195813c383603afc1c77882aafae92278e93ef9fd055431e131
                                                                                                                              • Instruction Fuzzy Hash: 51012571B1170557E730AE799C88F5BB3DC9F50B40F05441EBA48E7251DF79F8008AA8
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00496008 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 261COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0049600F
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0048BA06: __EH_prolog3.LIBCMT ref: 0048BA0D
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                                • Part of subcall function 0048B96F: __EH_prolog3.LIBCMT ref: 0048B976
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_memcpy_s
                                                                                                                              • String ID: %s > %s$On Back$On Cancel$On Help$On Next
                                                                                                                              • API String ID: 1663610674-3527549260
                                                                                                                              • Opcode ID: ba143049ff5af49460881d440a0271e0fc8bc2a27808e443e547b7db3bc7ab0d
                                                                                                                              • Instruction ID: 47a24a1f48d4ca565934e98a27982a5d4551e5fca717ae475fae92cff2397d4a
                                                                                                                              • Opcode Fuzzy Hash: ba143049ff5af49460881d440a0271e0fc8bc2a27808e443e547b7db3bc7ab0d
                                                                                                                              • Instruction Fuzzy Hash: 71A13170D00205DFCF05EFA9C946AAEBBF5AF45314F15815EF015B7292CB389A01CBA9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004201D2 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 215COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004201D9
                                                                                                                              • GetFileAttributesA.KERNEL32(00000010,00000050), ref: 00420210
                                                                                                                              • _strlen.LIBCMT ref: 0042028D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AttributesFileH_prolog3_strlen
                                                                                                                              • String ID: <?xml version="1.0" encoding="iso-8859-1"?>$SUF70UninstallData
                                                                                                                              • API String ID: 1171970428-2376748235
                                                                                                                              • Opcode ID: b8d63bfc34991b982de0a0c44c81630ce97c7cfdd553662d83f1e975649b7fff
                                                                                                                              • Instruction ID: d2ce1658b384c1ef4d0bb94c9eb3cb7675d1d685cfd0ac3030ce9c46e2f8cf0a
                                                                                                                              • Opcode Fuzzy Hash: b8d63bfc34991b982de0a0c44c81630ce97c7cfdd553662d83f1e975649b7fff
                                                                                                                              • Instruction Fuzzy Hash: 19817E70D00215DFCF04EF99D982AAEBBB8AF15318F60415FF511BB292CB785A05CBA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00402091 Relevance: 10.7, APIs: 7, Instructions: 168windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 004020D2
                                                                                                                              • SetWindowLongA.USER32(?,000000F4,00000000), ref: 00402103
                                                                                                                              • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040214D
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 004021BA
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 004021D2
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 00402229
                                                                                                                              • SendMessageA.USER32(?,0000014D,000000FF,?), ref: 004022BA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Rect$MessageSend$Long
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 697563133-0
                                                                                                                              • Opcode ID: 08c74334025398f98fc756bc4da5b4ca972b68ec10d6d31942000fa0231e5e7a
                                                                                                                              • Instruction ID: 0120dead2877fc41f7accc9b6d902dd8213874ad2ae073c59d5e88aabdc86e6d
                                                                                                                              • Opcode Fuzzy Hash: 08c74334025398f98fc756bc4da5b4ca972b68ec10d6d31942000fa0231e5e7a
                                                                                                                              • Instruction Fuzzy Hash: 69514E71900209AFDF11DFA5CD84EEEBBBAEF89304F14017EE905BB291CA785900CB65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004100FF Relevance: 10.6, APIs: 7, Instructions: 148COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00410109
                                                                                                                                • Part of subcall function 004B7D9A: __EH_prolog3.LIBCMT ref: 004B7DA1
                                                                                                                                • Part of subcall function 004B7D9A: BeginPaint.USER32(?,?,00000004,0041011F,?,00000084), ref: 004B7DCD
                                                                                                                              • GetClientRect.USER32(?,?), ref: 00410174
                                                                                                                              • CreatePen.GDI32(00000000,00000001,00776F70), ref: 0041018A
                                                                                                                              • CreateSolidBrush.GDI32(00776F70), ref: 0041019F
                                                                                                                              • CreatePen.GDI32(00000000,00000001,3FE00000), ref: 004101B9
                                                                                                                              • CreateSolidBrush.GDI32(3FE00000), ref: 004101CE
                                                                                                                                • Part of subcall function 004025A1: __EH_prolog3_catch_GS.LIBCMT ref: 004025AB
                                                                                                                                • Part of subcall function 004B7DEE: __EH_prolog3.LIBCMT ref: 004B7DF5
                                                                                                                                • Part of subcall function 004B7DEE: EndPaint.USER32(?,?,00000004,0041030E), ref: 004B7E10
                                                                                                                              • Rectangle.GDI32(?,?,?,?,?), ref: 00410212
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Create$BrushH_prolog3PaintSolid$BeginClientH_prolog3_H_prolog3_catch_RectRectangle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1340467278-0
                                                                                                                              • Opcode ID: 2f970d49804d0f2d9b82e4f76802c049c79622c6e07c8134b58e82e836740fcd
                                                                                                                              • Instruction ID: 9240ddd567951efe90ab1f9f67ca9fa23bed348a00c53c9715a8afbc30e7a201
                                                                                                                              • Opcode Fuzzy Hash: 2f970d49804d0f2d9b82e4f76802c049c79622c6e07c8134b58e82e836740fcd
                                                                                                                              • Instruction Fuzzy Hash: DA513971C00609EFCF25DFA1C985AEEBB79BF08304F10416EE546A3152DB796A84CF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00474261 Relevance: 10.6, APIs: 7, Instructions: 147COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00474268
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                              • GetSystemMetrics.USER32(00000000), ref: 004742EB
                                                                                                                              • GetSystemMetrics.USER32(00000001), ref: 004742F1
                                                                                                                              • IsWindow.USER32(?), ref: 00474307
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 0047431D
                                                                                                                              • IsWindow.USER32(?), ref: 004743D0
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 004743F8
                                                                                                                                • Part of subcall function 004867EC: __EH_prolog3.LIBCMT ref: 004867F3
                                                                                                                                • Part of subcall function 004B890D: MoveWindow.USER32(?,?,?,?,?,?), ref: 004B892A
                                                                                                                                • Part of subcall function 00486A47: GetWindowRect.USER32(?,?), ref: 00486AF0
                                                                                                                                • Part of subcall function 00486A47: GetWindowRect.USER32(?,?), ref: 00486AFC
                                                                                                                                • Part of subcall function 00486A47: GetWindowRect.USER32(?,?), ref: 00486B60
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Rect$MetricsSystem$H_prolog3H_prolog3_Move_malloc
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2691773604-0
                                                                                                                              • Opcode ID: 3ea4f64a5ff61e3f6450aa7714be0298217594152a65b21ce1af16fc8c65d8d0
                                                                                                                              • Instruction ID: b289f60b02ab36f1928b2c7e43761c1ff051663f21ed5bb26d7733e51c099dae
                                                                                                                              • Opcode Fuzzy Hash: 3ea4f64a5ff61e3f6450aa7714be0298217594152a65b21ce1af16fc8c65d8d0
                                                                                                                              • Instruction Fuzzy Hash: FD515275A001168FCB04DFB9CE49AAD7BF9FF48314B05816AF409E7262CB78A900CB55
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00422531 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 147COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: SessionVars$UninstallFiles$UninstallFolders$UninstallShortcuts$UninstallSupportFiles
                                                                                                                              • API String ID: 431132790-292530861
                                                                                                                              • Opcode ID: d76fd0b77baf14a35d53ac08aaf1fa682d20ec9077a28fb0a54e9fef29abb02f
                                                                                                                              • Instruction ID: 6d32717a054c24e4ef4673ecc6a00d520509ccbcb52cac7a29e747435e1278c8
                                                                                                                              • Opcode Fuzzy Hash: d76fd0b77baf14a35d53ac08aaf1fa682d20ec9077a28fb0a54e9fef29abb02f
                                                                                                                              • Instruction Fuzzy Hash: C151C630A00216DFCB14EFB6DE52ABE7764BF50314F80412FA456B76D2DBB89A04CB59
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004D24B7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageA.USER32(?,0000019F,00000000,00000000), ref: 004D24DF
                                                                                                                              • GetParent.USER32(?), ref: 004D24E6
                                                                                                                                • Part of subcall function 004B87F6: GetWindowLongA.USER32(?,000000F0), ref: 004B8801
                                                                                                                              • SendMessageA.USER32(?,00000187,00000000,00000000), ref: 004D2539
                                                                                                                              • SendMessageA.USER32(?,00000111,?,00000020), ref: 004D2591
                                                                                                                              • SendMessageA.USER32(?,00000185,00000000,00000000), ref: 004D25AA
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$LongParentWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 779260966-3916222277
                                                                                                                              • Opcode ID: 481990ea00b59ab6e7a87d96e3789037ce12d78297dd64b0d7abc94371ce46d7
                                                                                                                              • Instruction ID: b4df82db4cceea64747491b60be2f090e90925a56d3d478974975c23d41f468c
                                                                                                                              • Opcode Fuzzy Hash: 481990ea00b59ab6e7a87d96e3789037ce12d78297dd64b0d7abc94371ce46d7
                                                                                                                              • Instruction Fuzzy Hash: EF41D170600314BBDB256B368DA6EAF3AA9FF44744F10441FF546D63A0DA78ED408BA8
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00484584 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 135COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0048458B
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              Strings
                                                                                                                              • Source did not have drive specifier, xrefs: 0048467F
                                                                                                                              • Source ends with a slash, xrefs: 00484623
                                                                                                                              • Source was less than 4 characters, xrefs: 004845DE
                                                                                                                              • Source contains invalid character, xrefs: 004846EE
                                                                                                                              • Source was empty, xrefs: 004845BB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: Source contains invalid character$Source did not have drive specifier$Source ends with a slash$Source was empty$Source was less than 4 characters
                                                                                                                              • API String ID: 431132790-1937954483
                                                                                                                              • Opcode ID: aa81d45f7b769ec40afb4cd3830f932018c7e4189e5f5c4d1cfffda82d519daf
                                                                                                                              • Instruction ID: 0ec57f67d38fa25329bf7ceb843e8e42149d94793dc069b18d3ac5c1932bd0eb
                                                                                                                              • Opcode Fuzzy Hash: aa81d45f7b769ec40afb4cd3830f932018c7e4189e5f5c4d1cfffda82d519daf
                                                                                                                              • Instruction Fuzzy Hash: 4B41D770A01206ABCB04FB64C996A7EB7B4FF51318F10462EF121B72D1DB786E00C79A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0042A0D2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0042A0D9
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0040C578: lua_getfield.LUA5.1(0000C264,FFFFD8EE,?,80000000,?,?,00403F08,?), ref: 0040C58C
                                                                                                                                • Part of subcall function 0040C578: lua_isnumber.LUA5.1(0000C264,000000FF,0000C264,FFFFD8EE,?,80000000,?,?,00403F08,?), ref: 0040C596
                                                                                                                                • Part of subcall function 0040C578: lua_tonumber.LUA5.1(0000C264,000000FF), ref: 0040C5A7
                                                                                                                                • Part of subcall function 0040C578: lua_remove.LUA5.1(0000C264,000000FF), ref: 0040C5BA
                                                                                                                              • SetFileAttributesA.KERNEL32(00000010,00000080,?,00000020,0042D4B5,00000000,?,00000000,00000000,?,?,00000004,00000000,00000000,00000000,00000000), ref: 0042A150
                                                                                                                              • DeleteFileA.KERNEL32(00000010,?,00000020,0042D4B5,00000000,?,00000000,00000000,?,?,00000004,00000000,00000000,00000000,00000000), ref: 0042A157
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              Strings
                                                                                                                              • Remove shortcut: , xrefs: 0042A163
                                                                                                                              • UNINSTALL_STAGE_REMOVING_SHORTCUTS, xrefs: 0042A0F4
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$File$AttributesDeleteException@8Throwlua_getfield.lua_isnumber.lua_remove.lua_tonumber.
                                                                                                                              • String ID: Remove shortcut: $UNINSTALL_STAGE_REMOVING_SHORTCUTS
                                                                                                                              • API String ID: 676444499-2030364576
                                                                                                                              • Opcode ID: 2c96ed7e59a8f75f11db71ae13eeef63634ca29e69d73cebd492881230dfbde1
                                                                                                                              • Instruction ID: a1811789827066c816a6d5269dffc9e828bb3a3098a0a3f492b5cf1cc4e27eab
                                                                                                                              • Opcode Fuzzy Hash: 2c96ed7e59a8f75f11db71ae13eeef63634ca29e69d73cebd492881230dfbde1
                                                                                                                              • Instruction Fuzzy Hash: 4A416171D002099FCB04EFA9DC85AAE7BB9FF48324F54416EF411B72A2CB385911CB69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0046C461 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0046C468
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_type.LUA5.1(?,00000004), ref: 0046C4D2
                                                                                                                              • lua_type.LUA5.1(?,00000004), ref: 0046C4E1
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              • GetProcAddress.KERNEL32(00000000,MsiApplyPatchA), ref: 0046C50E
                                                                                                                              • lua_pushboolean.LUA5.1(?,00000000,?,00001068), ref: 0046C54B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$lua_type.$lua_remove.$AddressProc_strlenlua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushboolean.lua_pushstring.lua_tolstring.
                                                                                                                              • String ID: MsiApplyPatchA
                                                                                                                              • API String ID: 3635814031-3494550721
                                                                                                                              • Opcode ID: be433b341d57405f4bce7879237927ec9266325ecbe3f55dcb0e7f705b9d498a
                                                                                                                              • Instruction ID: 9f499f818e56ab2b3da4ab56a9930921714a315f96c1f37b0d1efb423f383925
                                                                                                                              • Opcode Fuzzy Hash: be433b341d57405f4bce7879237927ec9266325ecbe3f55dcb0e7f705b9d498a
                                                                                                                              • Instruction Fuzzy Hash: 8621F432900611AAEB14B7B58C53FBF32689F42329F10052FF521B61C3FE7CAA05816E
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044A0DF Relevance: 10.6, APIs: 7, Instructions: 101stringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              • _memset.LIBCMT ref: 0044A110
                                                                                                                              • lstrcpyn.KERNEL32(00000000,00000000,00000104,00000004,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 0044A11D
                                                                                                                              • __mbsinc.LIBCMT ref: 0044A143
                                                                                                                              • __mbsinc.LIBCMT ref: 0044A162
                                                                                                                              • __mbsinc.LIBCMT ref: 0044A196
                                                                                                                              • __mbsinc.LIBCMT ref: 0044A1A9
                                                                                                                              • __mbsinc.LIBCMT ref: 0044A1C0
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __mbsinc$_memset_strlenlstrcpyn
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1884050351-0
                                                                                                                              • Opcode ID: bacd93511e44d4c105607c602db92835d72c969baff7d110de9fc2ade29ac56b
                                                                                                                              • Instruction ID: 9d8ff5f63f7a13c67aff95a623033707d9f142286c7986f40109651ee299498f
                                                                                                                              • Opcode Fuzzy Hash: bacd93511e44d4c105607c602db92835d72c969baff7d110de9fc2ade29ac56b
                                                                                                                              • Instruction Fuzzy Hash: 1921B4526886C42FFB2A26649839BF73F9A4B43350F5C50A7E2854B3A3E41C4CB4935B
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044C31E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0044C325
                                                                                                                              • wsprintfA.USER32 ref: 0044C393
                                                                                                                              • _strlen.LIBCMT ref: 0044C399
                                                                                                                              • wsprintfA.USER32 ref: 0044C3C2
                                                                                                                              • _strlen.LIBCMT ref: 0044C3C8
                                                                                                                                • Part of subcall function 0040181F: _memmove_s.LIBCMT ref: 00401866
                                                                                                                                • Part of subcall function 00405B76: __EH_prolog3.LIBCMT ref: 00405B7D
                                                                                                                                • Part of subcall function 00405B1F: __EH_prolog3.LIBCMT ref: 00405B26
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3_strlenwsprintf$H_prolog3__memmove_s
                                                                                                                              • String ID: %lu
                                                                                                                              • API String ID: 3513440924-685833217
                                                                                                                              • Opcode ID: 913fceb6de5976f9ac2ea5b7b4929e5410d8277d11af5c7af936a03c416d1eba
                                                                                                                              • Instruction ID: 81bd72addf644ded3dc7e7d748295b5c4a7a0cbe4fca25263a82ee9719c752f3
                                                                                                                              • Opcode Fuzzy Hash: 913fceb6de5976f9ac2ea5b7b4929e5410d8277d11af5c7af936a03c416d1eba
                                                                                                                              • Instruction Fuzzy Hash: 0C3110B2D0010CABCB05EBE4DC51AEDB77DAF58318F54416AF512F7292DA34AA04CB69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004AC089 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateSolidBrush.GDI32(?), ref: 004AC0BA
                                                                                                                              • GetObjectA.GDI32(?,0000000C,?), ref: 004AC0D4
                                                                                                                              • GetSysColor.USER32(0000000F), ref: 004AC0F0
                                                                                                                              • GetSysColor.USER32(0000000F), ref: 004AC10A
                                                                                                                              • CreateSolidBrush.GDI32(00000000), ref: 004AC10D
                                                                                                                              • GetSysColor.USER32(0000000F), ref: 004AC125
                                                                                                                              • CreateSolidBrush.GDI32(?), ref: 004AC158
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: BrushColorCreateSolid$Object
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2949401836-0
                                                                                                                              • Opcode ID: c271f124851e0041232e2696dac5eba6e0f045dfed74334c77f08dcd11032c93
                                                                                                                              • Instruction ID: fe9d0160852a57a7580b55063f9972611d9888a0d25ad92f03fd2fe067043f6f
                                                                                                                              • Opcode Fuzzy Hash: c271f124851e0041232e2696dac5eba6e0f045dfed74334c77f08dcd11032c93
                                                                                                                              • Instruction Fuzzy Hash: FB319C31B04615EFCB64EF64C885BBEB7A6BF49700F00001AE50697352CB38AD01CBA9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00498421 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 93COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00498428
                                                                                                                                • Part of subcall function 00496368: __EH_prolog3.LIBCMT ref: 0049636F
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0048CD71: __EH_prolog3.LIBCMT ref: 0048CD78
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                              Strings
                                                                                                                              • IDS_CTRL_RADIO_BUTTON_%.2d, xrefs: 004984C7
                                                                                                                              • Option %.2d, xrefs: 004984DA
                                                                                                                              • IDS_CTRL_STATICTEXT_TOPINSTRUCTIONS, xrefs: 00498454
                                                                                                                              • Please select one of the following options:, xrefs: 00498440
                                                                                                                              • IDS_CTRL_STATICTEXT_BOTTOMINSTRUCTIONS, xrefs: 00498485
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_memcpy_s
                                                                                                                              • String ID: IDS_CTRL_RADIO_BUTTON_%.2d$IDS_CTRL_STATICTEXT_BOTTOMINSTRUCTIONS$IDS_CTRL_STATICTEXT_TOPINSTRUCTIONS$Option %.2d$Please select one of the following options:
                                                                                                                              • API String ID: 1663610674-4264039920
                                                                                                                              • Opcode ID: e65418ccec596460c4d17e3f410aff2345f219120555595c8fe5c0ee5dd8a50d
                                                                                                                              • Instruction ID: 84d089c6dd6a3c0e98640f33581de87d6a8cece259c730cbec285c86a885420f
                                                                                                                              • Opcode Fuzzy Hash: e65418ccec596460c4d17e3f410aff2345f219120555595c8fe5c0ee5dd8a50d
                                                                                                                              • Instruction Fuzzy Hash: 2A316371D00209AFCF05FFA9C953AAE7A75AF55324F51421EF015772D1CB381B018BAA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004064A6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 004064AD
                                                                                                                              • lua_getstack.LUA5.1(?,00000000,?,00000000), ref: 004064E3
                                                                                                                              • lua_getinfo.LUA5.1(?,Snl,?), ref: 00406502
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3H_prolog3_lua_getinfo.lua_getstack.
                                                                                                                              • String ID: %s, Line %d: %s$Snl$Unknown
                                                                                                                              • API String ID: 1261931991-796661963
                                                                                                                              • Opcode ID: 4d972366b980b5e3365b2f746acb6eedebbcfecf8baeb04511ca239b585e59bb
                                                                                                                              • Instruction ID: 9c5c313a7c297e394b047f91307065fb3f6790cbdf70ba25fe7b6bdb75bcd3db
                                                                                                                              • Opcode Fuzzy Hash: 4d972366b980b5e3365b2f746acb6eedebbcfecf8baeb04511ca239b585e59bb
                                                                                                                              • Instruction Fuzzy Hash: C6318F31900104ABDB28EBB9CC51BEDBB78AF14318F10426EF525B71D2DB786A14CF69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0043A00F Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 58COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: Error%s (%d)$Notice%s$Skipped%s$Success%s$Warning%s (%d)
                                                                                                                              • API String ID: 431132790-4104247451
                                                                                                                              • Opcode ID: af30dd3758adcbb9be01334b73c58f5e292d62a27d0c20df3ce2a59319d7730c
                                                                                                                              • Instruction ID: 2cafa5c473a8aadb3dc73f105463b86ae68b496e8c72180bf6514116c776b25e
                                                                                                                              • Opcode Fuzzy Hash: af30dd3758adcbb9be01334b73c58f5e292d62a27d0c20df3ce2a59319d7730c
                                                                                                                              • Instruction Fuzzy Hash: ED11C17248011EBBCF19DFA0CD01DEE7B76BB08344F44441BB940A2190C6799930DB9A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0049E519 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0049E520
                                                                                                                              • GetSysColor.USER32(00000014), ref: 0049E55D
                                                                                                                              • GetSysColor.USER32(00000010), ref: 0049E567
                                                                                                                              • GetSysColor.USER32(00000015), ref: 0049E571
                                                                                                                              • GetSysColor.USER32(00000016), ref: 0049E57B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Color$H_prolog3
                                                                                                                              • String ID: BUTTON
                                                                                                                              • API String ID: 131102112-3405671355
                                                                                                                              • Opcode ID: 2fd38fa7de3b1bffc8d6d00bf6698deb6861f123c63f09cfd21e505b547a269d
                                                                                                                              • Instruction ID: 6f19ee3100a2f8436581469bc571417320edf205dbff0f299390447a8fefb4ee
                                                                                                                              • Opcode Fuzzy Hash: 2fd38fa7de3b1bffc8d6d00bf6698deb6861f123c63f09cfd21e505b547a269d
                                                                                                                              • Instruction Fuzzy Hash: 7EF05470941B069BD725BF718D1AB9FBAE1AF84700F11082DE1955B1C1DBF46601CF45
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004544E4 Relevance: 10.2, APIs: 8, Instructions: 193stringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • lstrlen.KERNEL32(?,00000000), ref: 0045460A
                                                                                                                              • GetLastError.KERNEL32(0000002B,?,00000001), ref: 0045461F
                                                                                                                              • lstrlen.KERNEL32(?,00000000), ref: 00454642
                                                                                                                              • GetLastError.KERNEL32(0000002C,?,00000001), ref: 00454657
                                                                                                                              • lstrlen.KERNEL32(?,00000000), ref: 004546B2
                                                                                                                              • GetLastError.KERNEL32(0000001C,?,00000001), ref: 004546C7
                                                                                                                              • lstrlen.KERNEL32(?,00000000), ref: 004546EA
                                                                                                                              • GetLastError.KERNEL32(0000001D,?,00000001), ref: 00454703
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLastlstrlen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 8355439-0
                                                                                                                              • Opcode ID: 4e58175465a5ce537dd4ba79136a53e4486892db5079a6eedeb95b85921b2457
                                                                                                                              • Instruction ID: e9c10133a96086cffa29038db409d30afa1e2a2cd4de1380d40b9a8af837cf85
                                                                                                                              • Opcode Fuzzy Hash: 4e58175465a5ce537dd4ba79136a53e4486892db5079a6eedeb95b85921b2457
                                                                                                                              • Instruction Fuzzy Hash: 7761647020024AABEF119F658D45FAF3799AB8470EF00052FFE059A282D77CDD589A5A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004681B6 Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004681BD
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0045974C: __EH_prolog3.LIBCMT ref: 00459753
                                                                                                                                • Part of subcall function 0044D91E: __EH_prolog3.LIBCMT ref: 0044D925
                                                                                                                              • lua_pushnil.LUA5.1(?,?,00000001), ref: 004682F3
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000,?,?,?,00000001,0000000A), ref: 00468291
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,?,?,?,?,00000001,0000000A), ref: 004682AC
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,00000001,0000000A), ref: 004682C0
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,00000001,0000000A), ref: 004682C8
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$lua_pushstring.lua_remove.$Exception@8Throw_memcpy_slua_createtable.lua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushnil.lua_pushnumber.lua_settable.lua_tolstring.lua_type.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1908067791-0
                                                                                                                              • Opcode ID: 1c2721e2ad41b260756b6d3f1d8ec878b88ec7d281683656ff0b5bb5371db19b
                                                                                                                              • Instruction ID: c728cde074349f2ec9ec65883b5a21edc7bedbf011c1524498f9d439cc2c2949
                                                                                                                              • Opcode Fuzzy Hash: 1c2721e2ad41b260756b6d3f1d8ec878b88ec7d281683656ff0b5bb5371db19b
                                                                                                                              • Instruction Fuzzy Hash: FA419271C00105ABDB04EBA5C886AEEBB78AF15318F64415FF410722D3EF7D5A4587AA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0046E462 Relevance: 9.1, APIs: 6, Instructions: 126COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0046E469
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 004515A4: __EH_prolog3.LIBCMT ref: 004515AB
                                                                                                                              • lua_pushnil.LUA5.1(?,0000000A), ref: 0046E599
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                                • Part of subcall function 004517B0: __EH_prolog3.LIBCMT ref: 004517BA
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000,0000000A), ref: 0046E52D
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,?,0000000A), ref: 0046E548
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,?,0000000A), ref: 0046E55C
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,?,0000000A), ref: 0046E564
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$lua_pushstring.lua_remove.$Exception@8Throw_memcpy_slua_createtable.lua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushnil.lua_pushnumber.lua_settable.lua_tolstring.lua_type.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1908067791-0
                                                                                                                              • Opcode ID: 01338515873f5e58a3b1175a45c372372f08662b5c7bce2376fcf9414fb44e8b
                                                                                                                              • Instruction ID: a31827ddce6e01fec5d250f5be58295fe2646483db7bb2918da9684b2c2f1d94
                                                                                                                              • Opcode Fuzzy Hash: 01338515873f5e58a3b1175a45c372372f08662b5c7bce2376fcf9414fb44e8b
                                                                                                                              • Instruction Fuzzy Hash: 18418375800115AADB01ABE6CC46AEEBBB8AF54318F14001FF41177283FB7D5A0687BA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0046E5CB Relevance: 9.1, APIs: 6, Instructions: 126COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0046E5D2
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 004515A4: __EH_prolog3.LIBCMT ref: 004515AB
                                                                                                                              • lua_pushnil.LUA5.1(?,0000000A), ref: 0046E702
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                                • Part of subcall function 00451C6D: __EH_prolog3.LIBCMT ref: 00451C77
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000,0000000A), ref: 0046E696
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,?,0000000A), ref: 0046E6B1
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,?,0000000A), ref: 0046E6C5
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,?,0000000A), ref: 0046E6CD
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$lua_pushstring.lua_remove.$Exception@8Throw_memcpy_slua_createtable.lua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushnil.lua_pushnumber.lua_settable.lua_tolstring.lua_type.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1908067791-0
                                                                                                                              • Opcode ID: fa22616630401b12e80c8301b3ce8014f5a1b419bd5a3221eb626190061ebd92
                                                                                                                              • Instruction ID: 28d64e8631b9c7c422b4713f96e514c154c311040a02820bc5abe4971acb32e4
                                                                                                                              • Opcode Fuzzy Hash: fa22616630401b12e80c8301b3ce8014f5a1b419bd5a3221eb626190061ebd92
                                                                                                                              • Instruction Fuzzy Hash: E5419175800115ABDB01EFA6CC46AEEBBB8AF55318F54001FF81073283EB7D5A0587BA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004AE66F Relevance: 9.1, APIs: 6, Instructions: 119windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetParent.USER32(?), ref: 004AE69E
                                                                                                                              • ClientToScreen.USER32(00000000,?), ref: 004AE74E
                                                                                                                              • ScreenToClient.USER32(00000000,?), ref: 004AE75E
                                                                                                                              • ClientToScreen.USER32(00000000,?), ref: 004AE7AC
                                                                                                                              • ScreenToClient.USER32(?,?), ref: 004AE7BC
                                                                                                                              • PostMessageA.USER32(?,?,?,?), ref: 004AE7D9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ClientScreen$MessageParentPost
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1061243768-0
                                                                                                                              • Opcode ID: 237f283f83863944ae1e47a72efe981a6f76196846709a3ad9c7a0ac3b033829
                                                                                                                              • Instruction ID: 5f2c81f1a464f8638bed0d9b77a76d4db9e9725f30e14e21403447c77e97b5ca
                                                                                                                              • Opcode Fuzzy Hash: 237f283f83863944ae1e47a72efe981a6f76196846709a3ad9c7a0ac3b033829
                                                                                                                              • Instruction Fuzzy Hash: 2C410439901215EBCF249F5AC8845BEB7B9FF25300F14482BF862D6AA1D338ED80D725
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004744A2 Relevance: 9.1, APIs: 6, Instructions: 115COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00474261: __EH_prolog3_GS.LIBCMT ref: 00474268
                                                                                                                                • Part of subcall function 00474261: GetSystemMetrics.USER32(00000000), ref: 004742EB
                                                                                                                                • Part of subcall function 00474261: GetSystemMetrics.USER32(00000001), ref: 004742F1
                                                                                                                                • Part of subcall function 00474261: IsWindow.USER32(?), ref: 00474307
                                                                                                                                • Part of subcall function 00474261: GetWindowRect.USER32(?,?), ref: 0047431D
                                                                                                                                • Part of subcall function 004864E6: LoadIconA.USER32(00000000,00007F01), ref: 00486521
                                                                                                                                • Part of subcall function 004864E6: SendMessageA.USER32(?,00000170,00000000,00000000), ref: 00486534
                                                                                                                                • Part of subcall function 00486A47: GetWindowRect.USER32(?,?), ref: 00486AF0
                                                                                                                                • Part of subcall function 00486A47: GetWindowRect.USER32(?,?), ref: 00486AFC
                                                                                                                                • Part of subcall function 00486A47: GetWindowRect.USER32(?,?), ref: 00486B60
                                                                                                                                • Part of subcall function 004B894D: ShowWindow.USER32(?,?,?,004B6C70,00000000,0000E146,00000000,?,?,00402098,0000002C,0000000A), ref: 004B895E
                                                                                                                              • GetSystemMetrics.USER32(00000000), ref: 00474522
                                                                                                                              • GetSystemMetrics.USER32(00000001), ref: 00474528
                                                                                                                              • IsWindow.USER32(?), ref: 0047453B
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 0047454C
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 00474579
                                                                                                                              • GetParent.USER32(?), ref: 004745AD
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Rect$MetricsSystem$H_prolog3_IconLoadMessageParentSendShow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 699161555-0
                                                                                                                              • Opcode ID: b4c970440d18b6327fc8fc2a460da8d4e51a0d2d978237b34d648e33060d6c8a
                                                                                                                              • Instruction ID: 46f3ce453aba954fdfed97019b9d01302a5f6d199d8bfe368f2f830ff47d873f
                                                                                                                              • Opcode Fuzzy Hash: b4c970440d18b6327fc8fc2a460da8d4e51a0d2d978237b34d648e33060d6c8a
                                                                                                                              • Instruction Fuzzy Hash: 80418D71A10219ABCB00EFBDCD899FEBBF9AF84700B15456EB905E7251DB74AD00CB94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00468077 Relevance: 9.1, APIs: 6, Instructions: 114COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0046807E
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0045974C: __EH_prolog3.LIBCMT ref: 00459753
                                                                                                                                • Part of subcall function 0044D91E: __EH_prolog3.LIBCMT ref: 0044D925
                                                                                                                              • lua_pushnil.LUA5.1(?,?,00000001), ref: 00468185
                                                                                                                                • Part of subcall function 0044D971: GetPrivateProfileSectionNamesA.KERNEL32(?,00007FFF,?), ref: 0044D9E2
                                                                                                                              • lua_createtable.LUA5.1(?,00000000,00000000,?,00000001,0000000A), ref: 00468123
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,?,?,00000001,0000000A), ref: 0046813E
                                                                                                                              • lua_pushstring.LUA5.1(?,?,?,00000001,0000000A), ref: 00468152
                                                                                                                              • lua_settable.LUA5.1(?,000000FD,?,?,?,00000001,0000000A), ref: 0046815A
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$lua_pushstring.lua_remove.$Exception@8NamesPrivateProfileSectionThrowlua_createtable.lua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushnil.lua_pushnumber.lua_settable.lua_tolstring.lua_type.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2175084750-0
                                                                                                                              • Opcode ID: 42e3bda7aa8934ff1565e83afbb5c2f0b266a28d89225e6a0498d7f092201661
                                                                                                                              • Instruction ID: 964eb0b382dfc6881af28a0651297280a11ff364e87c9a980be2f3aef264cd65
                                                                                                                              • Opcode Fuzzy Hash: 42e3bda7aa8934ff1565e83afbb5c2f0b266a28d89225e6a0498d7f092201661
                                                                                                                              • Instruction Fuzzy Hash: E3316271C04205AADB05FBA5C8429EEBB78AF15319F54011FF41076282EF7D5B46C7AA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004AC667 Relevance: 9.1, APIs: 6, Instructions: 114windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetParent.USER32(?), ref: 004AC68A
                                                                                                                              • ClientToScreen.USER32(?,?), ref: 004AC71F
                                                                                                                              • ScreenToClient.USER32(?,?), ref: 004AC72C
                                                                                                                              • ClientToScreen.USER32(?,?), ref: 004AC789
                                                                                                                              • ScreenToClient.USER32(?,?), ref: 004AC799
                                                                                                                              • PostMessageA.USER32(?,?,?,?), ref: 004AC7B6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ClientScreen$MessageParentPost
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1061243768-0
                                                                                                                              • Opcode ID: d155d447339293dab207f08065233faf1ab0a9b68b13769f205704c713b29753
                                                                                                                              • Instruction ID: 1064a73f65d73a5808c445d715e792a1cf236f9653b793605b97fe3e281e98e8
                                                                                                                              • Opcode Fuzzy Hash: d155d447339293dab207f08065233faf1ab0a9b68b13769f205704c713b29753
                                                                                                                              • Instruction Fuzzy Hash: 6441B279600606EFDB658F98C9C49BEBBB9FF15300F10442BE986D2660D738DD80DB55
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004A60EC Relevance: 9.1, APIs: 6, Instructions: 103windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 004A5D14: IsWindow.USER32(00000000), ref: 004A5D2B
                                                                                                                              • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 004A6127
                                                                                                                              • SendMessageA.USER32(?,00000187,00000000,00000000), ref: 004A613D
                                                                                                                              • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 004A6161
                                                                                                                              • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 004A6175
                                                                                                                              • SendMessageA.USER32(?,00000187,00000000,00000000), ref: 004A618B
                                                                                                                              • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 004A61AF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$Window
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2326795674-0
                                                                                                                              • Opcode ID: dd0b02d2243b1b5b165e13baadc21d22c5f6a94c424495e22ec00f14025672ae
                                                                                                                              • Instruction ID: dd2a6879cb5b7dddbf3b9eb783261300787931560575817acd186612409d7866
                                                                                                                              • Opcode Fuzzy Hash: dd0b02d2243b1b5b165e13baadc21d22c5f6a94c424495e22ec00f14025672ae
                                                                                                                              • Instruction Fuzzy Hash: 3431C135600610EFDB21CF59CD80E6BBBB4EF55744F26405AB9459B272C735ED01DB18
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0040A045 Relevance: 9.1, APIs: 6, Instructions: 80COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0040A04C
                                                                                                                              • ConvertStringSidToSidA.ADVAPI32(?,?), ref: 0040A063
                                                                                                                              • GetNamedSecurityInfoA.ADVAPI32(?,00000001,00000004,00000000,00000000,?,00000000,?), ref: 0040A0A3
                                                                                                                              • LocalFree.KERNEL32(?), ref: 0040A0FA
                                                                                                                                • Part of subcall function 00401437: _memcpy_s.LIBCMT ref: 00401484
                                                                                                                              • GetLastError.KERNEL32(?,?,0000000C), ref: 0040A0FE
                                                                                                                              • LocalFree.KERNEL32(?), ref: 0040A10E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeLocal$ConvertErrorH_prolog3InfoLastNamedSecurityString_memcpy_s
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3337624286-0
                                                                                                                              • Opcode ID: 162259d2069366155a835b20fba6162220ea529449cf34c0f3c59800657dde39
                                                                                                                              • Instruction ID: cf40d6f147ec1991fbeb4ca50f0f56657745493d72f687c83a63c04d0d7dcf0b
                                                                                                                              • Opcode Fuzzy Hash: 162259d2069366155a835b20fba6162220ea529449cf34c0f3c59800657dde39
                                                                                                                              • Instruction Fuzzy Hash: E121857180020AAFCF14DFA9CC45DEE7BB8FF44324F04461AF924AB2A1D7359A50CB55
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 006543C0 Relevance: 9.1, APIs: 6, Instructions: 54threadsynchronizationCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetEvent.KERNEL32(?,00000000,00000000,00000000,00000000,?,0063E375,\irsetup.skin,00698DAC,00000000,?,0042744E,00000000,00000000,\irsetup.skin,00000000), ref: 006543DB
                                                                                                                              • GetExitCodeThread.KERNEL32(?,00000001,?,0063E375,\irsetup.skin,00698DAC,00000000,?,0042744E,00000000,00000000,\irsetup.skin,00000000,?,00000001), ref: 006543F2
                                                                                                                              • WaitForSingleObject.KERNEL32(?,00000064,?,0063E375,\irsetup.skin,00698DAC,00000000,?,0042744E,00000000,00000000,\irsetup.skin,00000000,?,00000001), ref: 00654415
                                                                                                                              • GetExitCodeThread.KERNEL32(?,00000103,?,0063E375,\irsetup.skin,00698DAC,00000000,?,0042744E,00000000,00000000,\irsetup.skin,00000000,?,00000001), ref: 00654423
                                                                                                                              • TerminateThread.KERNEL32(?,00000000,?,0063E375,\irsetup.skin,00698DAC,00000000,?,0042744E,00000000,00000000,\irsetup.skin,00000000,?,00000001), ref: 0065442E
                                                                                                                              • CloseHandle.KERNEL32(?,?,0063E375,\irsetup.skin,00698DAC,00000000,?,0042744E,00000000,00000000,\irsetup.skin,00000000,?,00000001), ref: 00654438
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Thread$CodeExit$CloseEventHandleObjectSingleTerminateWait
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1721022855-0
                                                                                                                              • Opcode ID: 77c75e342eea0d59735b2cc8f79a1722212ad2ed0b8b30936ab208ca3941d359
                                                                                                                              • Instruction ID: 4b1024d96a560649203c44b235e15101fd3e489d754b4c9d70eef91ab3271da9
                                                                                                                              • Opcode Fuzzy Hash: 77c75e342eea0d59735b2cc8f79a1722212ad2ed0b8b30936ab208ca3941d359
                                                                                                                              • Instruction Fuzzy Hash: 0E01A171504701EFD720CF64DC88FABB7EEEB44719F10854AE84A83600DA74AD86DB60
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0045438E Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • IsWindow.USER32(?), ref: 00454398
                                                                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 004543A9
                                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004543B6
                                                                                                                              • GetLastError.KERNEL32 ref: 004543BE
                                                                                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 004543CB
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 004543D2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Process$Window$CloseErrorHandleLastOpenTerminateThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1040422698-0
                                                                                                                              • Opcode ID: a6936f529746508b28fdd4d360a103aed8b4509a23c4fc75794c3ba0296e1934
                                                                                                                              • Instruction ID: 6c23a5e13b322d671da5d3c5dc172c218928bf465203741ac2e83f08e177bfd5
                                                                                                                              • Opcode Fuzzy Hash: a6936f529746508b28fdd4d360a103aed8b4509a23c4fc75794c3ba0296e1934
                                                                                                                              • Instruction Fuzzy Hash: A3F0E531514310BFD7215F60DD0DB9A7BAEEF04B51F011412FD02D2561DBB0AD00ABD8
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044C602 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 136COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: Args$Event$Name$Script
                                                                                                                              • API String ID: 431132790-2529934338
                                                                                                                              • Opcode ID: be2653ef5509429438ac60f4cbbb5fb1232baca02e6501835cca3ba6f15232e4
                                                                                                                              • Instruction ID: 6dc0f1cac93f748457e8dad0270fd65e72f9037a4c3610a1faaf671d57d669ec
                                                                                                                              • Opcode Fuzzy Hash: be2653ef5509429438ac60f4cbbb5fb1232baca02e6501835cca3ba6f15232e4
                                                                                                                              • Instruction Fuzzy Hash: 0951A1B1900705DFCB14EFB5C4916AEBBF5BF08714F04862EA4AAA72D1C7349A44CF59
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004160D0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 131COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004160D7
                                                                                                                              • _memset.LIBCMT ref: 00416144
                                                                                                                                • Part of subcall function 00405B76: __EH_prolog3.LIBCMT ref: 00405B7D
                                                                                                                                • Part of subcall function 00405B1F: __EH_prolog3.LIBCMT ref: 00405B26
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_memset
                                                                                                                              • String ID: Empty document$No root element$Root element has sibling
                                                                                                                              • API String ID: 1193784468-3062692564
                                                                                                                              • Opcode ID: eff45c9a208cd3107d426c45c7a5d0ada919c0eb57451a2c35473df95a81bb40
                                                                                                                              • Instruction ID: bf27e4930bcd17e86714112474728f5fb655d26f63f0a8a0b559240779794816
                                                                                                                              • Opcode Fuzzy Hash: eff45c9a208cd3107d426c45c7a5d0ada919c0eb57451a2c35473df95a81bb40
                                                                                                                              • Instruction Fuzzy Hash: 22518FB0900A00DFC724DF6AC8419AAF7F9FF943007148A5FE096A77A2D774A945CF55
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044C33B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • wsprintfA.USER32 ref: 0044C393
                                                                                                                              • _strlen.LIBCMT ref: 0044C399
                                                                                                                              • wsprintfA.USER32 ref: 0044C3C2
                                                                                                                              • _strlen.LIBCMT ref: 0044C3C8
                                                                                                                                • Part of subcall function 0040181F: _memmove_s.LIBCMT ref: 00401866
                                                                                                                                • Part of subcall function 00405B76: __EH_prolog3.LIBCMT ref: 00405B7D
                                                                                                                                • Part of subcall function 00405B1F: __EH_prolog3.LIBCMT ref: 00405B26
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3_strlenwsprintf$_memmove_s
                                                                                                                              • String ID: %lu
                                                                                                                              • API String ID: 3440408245-685833217
                                                                                                                              • Opcode ID: a250e0827594a57e3c3e479fad96e3a31cdc6af4533e4226bbf73eb7e655aa62
                                                                                                                              • Instruction ID: 8140289437c539985019a4c164240a4a8fb33c8983e675549e547797f61c810d
                                                                                                                              • Opcode Fuzzy Hash: a250e0827594a57e3c3e479fad96e3a31cdc6af4533e4226bbf73eb7e655aa62
                                                                                                                              • Instruction Fuzzy Hash: 763130B2D0000CABCB05EBE4DC51AEEB76DAF48314F54426EF511F72D2DA34AA048B64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00414144 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0041414B
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                                • Part of subcall function 00403D53: _strlen.LIBCMT ref: 00403D63
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _strlen$H_prolog3
                                                                                                                              • String ID: -->$<!--$<![CDATA[$]]>
                                                                                                                              • API String ID: 2883720156-909480014
                                                                                                                              • Opcode ID: e5029ee801d2ae18a695d8c6d27d9ee0a96e1d2bbaff1dd49afb9c8b026a98d8
                                                                                                                              • Instruction ID: b4da90a62d22144e1056d03058bfb2b01c9016b99b40f8c2307bcf872ac66323
                                                                                                                              • Opcode Fuzzy Hash: e5029ee801d2ae18a695d8c6d27d9ee0a96e1d2bbaff1dd49afb9c8b026a98d8
                                                                                                                              • Instruction Fuzzy Hash: 5D31A974200209A7CF14AFA5C956DED3B16BFC4784F00856AFD156B2E1CA389ED1CB9E
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00452646 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0045264D
                                                                                                                                • Part of subcall function 00405AB7: __mbsinc.LIBCMT ref: 00405AF2
                                                                                                                                • Part of subcall function 005B5A3A: __waccess_s.LIBCMT ref: 005B5A45
                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 004526E8
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DeleteFileH_prolog3__mbsinc__waccess_s
                                                                                                                              • String ID: %s\%s.lnk$%s\%s.pif$%s\%s.url
                                                                                                                              • API String ID: 1891361267-1849461506
                                                                                                                              • Opcode ID: cffea826a72ee0d22a7b657b2e9d553bb45e52888f4bb523f669c66ef7747a3b
                                                                                                                              • Instruction ID: c8098d5293ea8231048928bc5c6c8e2caef9bd53507bfb8d0508bfb13e750363
                                                                                                                              • Opcode Fuzzy Hash: cffea826a72ee0d22a7b657b2e9d553bb45e52888f4bb523f669c66ef7747a3b
                                                                                                                              • Instruction Fuzzy Hash: 6A21C23190011ABBCF04BFA5CC45EEF7B3ABF51318F04461AF924B62D2DA7496149B58
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005D62A2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 005D62B9
                                                                                                                                • Part of subcall function 0063DF96: std::exception::exception.LIBCMT ref: 0063DFAB
                                                                                                                                • Part of subcall function 0063DF96: __CxxThrowException@8.LIBCMT ref: 0063DFC0
                                                                                                                                • Part of subcall function 0063DF96: std::exception::exception.LIBCMT ref: 0063DFD1
                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 005D62DB
                                                                                                                              • _memmove.LIBCMT ref: 005D6318
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                                                                                                              • String ID: invalid string position$string too long
                                                                                                                              • API String ID: 3404309857-4289949731
                                                                                                                              • Opcode ID: e11ea0d85beab975eb1149edff1131464f5a13fbffb034c71ff08f92789de56c
                                                                                                                              • Instruction ID: 3fa1a7fbf32da4c74fee0e020a0cac3dd00f7cf3ce413fa8e02295307799f654
                                                                                                                              • Opcode Fuzzy Hash: e11ea0d85beab975eb1149edff1131464f5a13fbffb034c71ff08f92789de56c
                                                                                                                              • Instruction Fuzzy Hash: 211146717006049FDB34DF6CD881A6ABBE9FB44710B100D2FF9928B782C7B0E9468B94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004A022F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFontH_prolog3_Indirect__cftof_memset
                                                                                                                              • String ID: Marlett
                                                                                                                              • API String ID: 2128786630-3688754224
                                                                                                                              • Opcode ID: 20f5717c141fd7cb3d82e0138df906b7d05abc300c7ca9ca1377d0302dbd4d1d
                                                                                                                              • Instruction ID: 1835c9286c18a0aa3bf0e3c10dc126b099a6328de194ae9a51a789b30e85e1fa
                                                                                                                              • Opcode Fuzzy Hash: 20f5717c141fd7cb3d82e0138df906b7d05abc300c7ca9ca1377d0302dbd4d1d
                                                                                                                              • Instruction Fuzzy Hash: D41173B1D002189FDB14EFD4CC99BEDBB74BF48304F54056EF215AB282DB7469058B59
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00458416 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,0074DE40,?,0041B446,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 00458423
                                                                                                                              • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00458434
                                                                                                                              • GetCurrentProcess.KERNEL32(00000000,?,?,0041B446,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 00458444
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressCurrentHandleModuleProcProcess
                                                                                                                              • String ID: IsWow64Process$kernel32.dll
                                                                                                                              • API String ID: 4190356694-3024904723
                                                                                                                              • Opcode ID: b5d8cc11028e8811edd2eef216608145585a36bb643d185323ea980ec59e9bd4
                                                                                                                              • Instruction ID: 13e03e53dfd61a4c41021413e91832a6ba6fa3f94253dbe169baf48d78082fdd
                                                                                                                              • Opcode Fuzzy Hash: b5d8cc11028e8811edd2eef216608145585a36bb643d185323ea980ec59e9bd4
                                                                                                                              • Instruction Fuzzy Hash: 43E04871910219F7CB10ABB4AD09A5F76ADAB01755B055056BC00E3550DE78DD049A94
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00452480 Relevance: 7.6, APIs: 5, Instructions: 126stringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 004524AE
                                                                                                                              • lstrcpy.KERNEL32(?,?), ref: 004524E4
                                                                                                                              • _memset.LIBCMT ref: 0045258F
                                                                                                                              • lstrlen.KERNEL32(?,?,00000104), ref: 004525AA
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000), ref: 004525BA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memset$ByteCharMultiWidelstrcpylstrlen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4173576495-0
                                                                                                                              • Opcode ID: 4a7cb955d97413f53a084aaf797762d9521527b3df445ee9d0921ee09f83cdbc
                                                                                                                              • Instruction ID: a7f2df4dba6ee50d02e5bc6a7b4ce97770c1a92cf0fccdad2477dd29f7926439
                                                                                                                              • Opcode Fuzzy Hash: 4a7cb955d97413f53a084aaf797762d9521527b3df445ee9d0921ee09f83cdbc
                                                                                                                              • Instruction Fuzzy Hash: 4F4109B5A00218AFCB15DFA4CC88EAAB7BDEF4C305F000499F946D7251DA75AE85CF60
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0045A43F Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0045A449
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 00459710: __EH_prolog3.LIBCMT ref: 00459717
                                                                                                                              • GetFileAttributesA.KERNEL32(?), ref: 0045A4CE
                                                                                                                              • __splitpath_s.LIBCMT ref: 0045A525
                                                                                                                              • _strlen.LIBCMT ref: 0045A54A
                                                                                                                              • _strlen.LIBCMT ref: 0045A56A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_strlenlua_remove.$AttributesFileH_prolog3___splitpath_slua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushstring.lua_tolstring.lua_type.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2240342688-0
                                                                                                                              • Opcode ID: 846c2f49d318e5d1e34ec0ec722065ed7ac176a6dfead1c9874bca287cfbc19c
                                                                                                                              • Instruction ID: 9c326fb5b371cfbe702569be7433592812b90eaaed47a84b3d560e1d23403ade
                                                                                                                              • Opcode Fuzzy Hash: 846c2f49d318e5d1e34ec0ec722065ed7ac176a6dfead1c9874bca287cfbc19c
                                                                                                                              • Instruction Fuzzy Hash: 85415472800118ABD71AEB64CC86EDE777CAF18314F5402DEF115A21D2EE386F888B65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0045415F Relevance: 7.6, APIs: 5, Instructions: 108threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00454169
                                                                                                                              • GetWindow.USER32(?,00000004), ref: 0045417D
                                                                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0045418D
                                                                                                                              • GetWindowTextA.USER32(?,?,000001F4), ref: 004541B4
                                                                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 0045420F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$H_prolog3_LongProcessTextThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2837326627-0
                                                                                                                              • Opcode ID: 90c64c5048e886618278fcde7f650a74fe987fb865f7dce11a3908c320455e9e
                                                                                                                              • Instruction ID: 58d4a6f727775820769da4ba1580a99c3ba89c1185597fcef965989e5b76594d
                                                                                                                              • Opcode Fuzzy Hash: 90c64c5048e886618278fcde7f650a74fe987fb865f7dce11a3908c320455e9e
                                                                                                                              • Instruction Fuzzy Hash: CF4177719002199BCB14DBA1CC49BEEB374AF50319F1042DEB515A61D2DB385FC5CF14
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0045C1AB Relevance: 7.6, APIs: 5, Instructions: 81stringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0045C1B5
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • _memset.LIBCMT ref: 0045C224
                                                                                                                              • lstrcpy.KERNEL32(?,?), ref: 0045C23F
                                                                                                                              • _memset.LIBCMT ref: 0045C252
                                                                                                                              • lstrcpy.KERNEL32(?,?), ref: 0045C267
                                                                                                                                • Part of subcall function 00447EF0: __EH_prolog3.LIBCMT ref: 00447EF7
                                                                                                                                • Part of subcall function 00447EF0: _strlen.LIBCMT ref: 00447F01
                                                                                                                                • Part of subcall function 004593D3: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 004593E5
                                                                                                                                • Part of subcall function 004593D3: lua_pushstring.LUA5.1(?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 004593F0
                                                                                                                                • Part of subcall function 004593D3: lua_gettable.LUA5.1(?,000000FE,?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 004593F8
                                                                                                                                • Part of subcall function 004593D3: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 00459400
                                                                                                                                • Part of subcall function 004593D3: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 00459408
                                                                                                                                • Part of subcall function 004593D3: lua_pushnumber.LUA5.1(?,?,?,?,?,?,?,?,?,?,?,00407717,?,00000000), ref: 0045941E
                                                                                                                                • Part of subcall function 004593D3: lua_pcall.LUA5.1(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00407717), ref: 0045942A
                                                                                                                                • Part of subcall function 004593D3: lua_remove.LUA5.1(?,000000FF,?,?,?,?,?,?,?,?,00407717,?,00000000), ref: 00459439
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3lua_remove.$_memsetlstrcpylua_getfield.lua_gettable.lua_pcall.lua_pushstring.lua_type.$H_prolog3__strlenlua_gettop.lua_pushnumber.lua_tolstring.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3937928458-0
                                                                                                                              • Opcode ID: 3bc4001ff84c6442614a8b3cdcd01590065ac73382d109098373f8ef9b4a37d3
                                                                                                                              • Instruction ID: 5bf3a12a68cf43bff7a1dad2f7335fc9eeedb001f644d9ab985a88227d9b37cc
                                                                                                                              • Opcode Fuzzy Hash: 3bc4001ff84c6442614a8b3cdcd01590065ac73382d109098373f8ef9b4a37d3
                                                                                                                              • Instruction Fuzzy Hash: D031527184111CAADB25B7A4DC9ABDD7778AF15308F1001DAF119721C3DF782F858AA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0045C2D3 Relevance: 7.6, APIs: 5, Instructions: 81stringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0045C2DD
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • _memset.LIBCMT ref: 0045C34C
                                                                                                                              • lstrcpy.KERNEL32(?,?), ref: 0045C367
                                                                                                                              • _memset.LIBCMT ref: 0045C37A
                                                                                                                              • lstrcpy.KERNEL32(?,?), ref: 0045C38F
                                                                                                                                • Part of subcall function 0044807D: __EH_prolog3.LIBCMT ref: 00448084
                                                                                                                                • Part of subcall function 0044807D: _strlen.LIBCMT ref: 00448096
                                                                                                                                • Part of subcall function 004593D3: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 004593E5
                                                                                                                                • Part of subcall function 004593D3: lua_pushstring.LUA5.1(?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 004593F0
                                                                                                                                • Part of subcall function 004593D3: lua_gettable.LUA5.1(?,000000FE,?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 004593F8
                                                                                                                                • Part of subcall function 004593D3: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 00459400
                                                                                                                                • Part of subcall function 004593D3: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,SetLastError,?,FFFFD8EE,Application,?,?,00407717,?,00000000), ref: 00459408
                                                                                                                                • Part of subcall function 004593D3: lua_pushnumber.LUA5.1(?,?,?,?,?,?,?,?,?,?,?,00407717,?,00000000), ref: 0045941E
                                                                                                                                • Part of subcall function 004593D3: lua_pcall.LUA5.1(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00407717), ref: 0045942A
                                                                                                                                • Part of subcall function 004593D3: lua_remove.LUA5.1(?,000000FF,?,?,?,?,?,?,?,?,00407717,?,00000000), ref: 00459439
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3lua_remove.$_memsetlstrcpylua_getfield.lua_gettable.lua_pcall.lua_pushstring.lua_type.$H_prolog3__strlenlua_gettop.lua_pushnumber.lua_tolstring.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3937928458-0
                                                                                                                              • Opcode ID: a8a6ede6f421b4ec2bf5c54d69252d0b5f670909ea980f6be0c1785f5466cd6e
                                                                                                                              • Instruction ID: 7954a0b3aaab49431f47d082f4a823743a3088eab8451d171cea81c101cbff50
                                                                                                                              • Opcode Fuzzy Hash: a8a6ede6f421b4ec2bf5c54d69252d0b5f670909ea980f6be0c1785f5466cd6e
                                                                                                                              • Instruction Fuzzy Hash: E631507180111CAADB25B7A4DC9AFDD7778AF15308F1001DAF519B21C3EE782F898AA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0047A03C Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0047A043
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 00477AD1: lua_getfield.LUA5.1(?,FFFFD8EE,System), ref: 00477AE4
                                                                                                                                • Part of subcall function 00477AD1: lua_type.LUA5.1(?,000000FF,?,FFFFD8EE,System), ref: 00477AEC
                                                                                                                                • Part of subcall function 00477AD1: lua_pushstring.LUA5.1(?,UserSIDError), ref: 00477AFF
                                                                                                                                • Part of subcall function 00477AD1: lua_pushnumber.LUA5.1(?,?,UserSIDError), ref: 00477B18
                                                                                                                                • Part of subcall function 00477AD1: lua_settable.LUA5.1(?,000000FD,?,?,UserSIDError), ref: 00477B20
                                                                                                                                • Part of subcall function 00477AD1: lua_settop.LUA5.1(?,000000FE), ref: 00477B2B
                                                                                                                              • ConvertSidToStringSidA.ADVAPI32(00000000,?), ref: 0047A0B0
                                                                                                                              • GetLastError.KERNEL32 ref: 0047A0CF
                                                                                                                              • LocalFree.KERNEL32(?), ref: 0047A0DB
                                                                                                                              • lua_pushstring.LUA5.1(?,00000000,?,00000000,?,?,00000000), ref: 0047A0FE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$lua_pushstring.$lua_getfield.lua_remove.lua_type.$ConvertErrorFreeLastLocalStringlua_gettable.lua_gettop.lua_pcall.lua_pushnumber.lua_settable.lua_settop.lua_tolstring.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2413815711-0
                                                                                                                              • Opcode ID: d4e7eec4a9516925b4f7c10296ce8e1580c3defc767dd86ff62d9c6f3afe51d6
                                                                                                                              • Instruction ID: 88765f4fcc436cf0771b062fd37eae9243fd452fba4b5f66a5f8979f63d892c3
                                                                                                                              • Opcode Fuzzy Hash: d4e7eec4a9516925b4f7c10296ce8e1580c3defc767dd86ff62d9c6f3afe51d6
                                                                                                                              • Instruction Fuzzy Hash: D4219571C0410AABDF01BFA5CC42BEE7B79EF15319F10441AF510B21D2EB7D5A158AAA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004B401C Relevance: 7.6, APIs: 5, Instructions: 65windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004B4023
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 004B4068
                                                                                                                              • FormatMessageA.KERNEL32(00001100,00000000,8007000E,00000800,?,00000000,00000000,?,?,8007000E,0072BA34,00000004,00401307,8007000E), ref: 004B4093
                                                                                                                              • __cftof.LIBCMT ref: 004B40B1
                                                                                                                                • Part of subcall function 005BB686: __mbsnbcpy_s_l.LIBCMT ref: 005BB699
                                                                                                                                • Part of subcall function 004073BE: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004073BE: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                              • LocalFree.KERNEL32(?), ref: 004B40C2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Exception@8H_prolog3Throw$FormatFreeLocalMessage__cftof__mbsnbcpy_s_l_malloc
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2344462309-0
                                                                                                                              • Opcode ID: 924acb030b0dd5709970d9ca210fc530f80b3592b620febc06fbb0cd3e6a15e0
                                                                                                                              • Instruction ID: 8385308ff0b6711cd09086404dae78498f7e4cd3f0ba4cc3dfd4f0a57bcddeee
                                                                                                                              • Opcode Fuzzy Hash: 924acb030b0dd5709970d9ca210fc530f80b3592b620febc06fbb0cd3e6a15e0
                                                                                                                              • Instruction Fuzzy Hash: 33112672500209AFEB10EF94CC81AEE3BA8FF04750F20852AFA658A192D774DD008BA0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0047A327 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 004599E0: __EH_prolog3.LIBCMT ref: 004599E7
                                                                                                                                • Part of subcall function 004599E0: lua_type.LUA5.1(?,?,00000000,00000000,0000000C,004085AC,?,?,00000024), ref: 00459A16
                                                                                                                              • lua_pushnil.LUA5.1(?,?,00000001,?,00000001,?), ref: 0047A34A
                                                                                                                              • lua_next.LUA5.1(?,00000001,?,?,00000001,?,00000001,?), ref: 0047A352
                                                                                                                              • lua_settop.LUA5.1(?,000000FE), ref: 0047A362
                                                                                                                              • lua_next.LUA5.1(?,00000001,?,000000FE), ref: 0047A36A
                                                                                                                              • lua_pushnumber.LUA5.1(?,?,00000000), ref: 0047A384
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3lua_next.lua_remove.lua_type.$lua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushnil.lua_pushnumber.lua_pushstring.lua_settop.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 377322443-0
                                                                                                                              • Opcode ID: 0128b5d3d4cde5198e8f1a01fb3d9ea2cea6d80a44ec2ae0b26fa119d3e878f9
                                                                                                                              • Instruction ID: 2e8fff610f2c092369eccec324a390fcb3a8ac0456f987f3f66d148c2db4a6b4
                                                                                                                              • Opcode Fuzzy Hash: 0128b5d3d4cde5198e8f1a01fb3d9ea2cea6d80a44ec2ae0b26fa119d3e878f9
                                                                                                                              • Instruction Fuzzy Hash: AAF06D72919524B6DA113AA74C43FDF355C9F1231EF10004AFD04B1083EAAD9B0242BF
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00450298 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0045029F
                                                                                                                                • Part of subcall function 00450222: __mbsinc.LIBCMT ref: 00450248
                                                                                                                                • Part of subcall function 0040C75B: __EH_prolog3.LIBCMT ref: 0040C762
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0045198A: __EH_prolog3.LIBCMT ref: 00451991
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                                • Part of subcall function 0040C6E5: __mbsinc.LIBCMT ref: 0040C70E
                                                                                                                                • Part of subcall function 005B5A3A: __waccess_s.LIBCMT ref: 005B5A45
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$__mbsinc$__waccess_s_memcpy_s
                                                                                                                              • String ID: %s\shell\open\command$.EXE$NONE
                                                                                                                              • API String ID: 3389249389-1731575293
                                                                                                                              • Opcode ID: df90cf1c473f11c74c0984262d09bed065412bc5df3f6e4dd4b453a3d6d12b7d
                                                                                                                              • Instruction ID: a80df439b8a52fc51525319e28b154746fb3562db487d4f90617a527fd395898
                                                                                                                              • Opcode Fuzzy Hash: df90cf1c473f11c74c0984262d09bed065412bc5df3f6e4dd4b453a3d6d12b7d
                                                                                                                              • Instruction Fuzzy Hash: 06817171C00148EBCB04EBE5C852BEEBBB8AF15318F14415EF415B72D2DB785A04CB6A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00456563 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0045656A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_strlen
                                                                                                                              • String ID: DIRECT$PROXY$SOCKS
                                                                                                                              • API String ID: 3239654323-4104639072
                                                                                                                              • Opcode ID: a918144667e1fba5714fa05b721d1be282dde8a517ebb17c2f31dd819da233c5
                                                                                                                              • Instruction ID: 966d4d5a08026b86b27771dd517caa850658ab183deabed4d714cb91f7a06f6a
                                                                                                                              • Opcode Fuzzy Hash: a918144667e1fba5714fa05b721d1be282dde8a517ebb17c2f31dd819da233c5
                                                                                                                              • Instruction Fuzzy Hash: 3951B571500149EBCF04EFB4C952ADE3B68AF14318F10426EBD55B73D2DB38AA54C7A5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004AA50A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 139COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 004AA511
                                                                                                                                • Part of subcall function 004A912C: IsWindow.USER32(?), ref: 004A9143
                                                                                                                                • Part of subcall function 0040C75B: __EH_prolog3.LIBCMT ref: 0040C762
                                                                                                                                • Part of subcall function 00405B76: __EH_prolog3.LIBCMT ref: 00405B7D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$H_prolog3_catchWindow
                                                                                                                              • String ID: <//html>$<HTML$<html>
                                                                                                                              • API String ID: 1732688955-2422906094
                                                                                                                              • Opcode ID: 3b6a04b0e3c77a2158de1d9c04cdb7b7f5441d205fb4c5ab9e3d5ba9402dbe37
                                                                                                                              • Instruction ID: e3d4836bbeb1ca7a503d12168d8d734c6c43cf3d436befa448b46516d05d584e
                                                                                                                              • Opcode Fuzzy Hash: 3b6a04b0e3c77a2158de1d9c04cdb7b7f5441d205fb4c5ab9e3d5ba9402dbe37
                                                                                                                              • Instruction Fuzzy Hash: 2841A771800509AFDB04EFB4C891DFE77A9AF25318F14411EF156672D1DB386E09CB69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005DA259 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 137COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 005DA260
                                                                                                                                • Part of subcall function 005D31F9: __EH_prolog3_catch.LIBCMT ref: 005D3200
                                                                                                                                • Part of subcall function 005D31F9: TlsGetValue.KERNEL32(00000000,0000000C,005D68EE,00000408,005D2578,00000011,is5_GetHBITMAPDimensions,00000000), ref: 005D3217
                                                                                                                                • Part of subcall function 005D31F9: TlsSetValue.KERNEL32(?,00000000), ref: 005D324E
                                                                                                                                • Part of subcall function 005D31F9: GetLastError.KERNEL32(?,00000000), ref: 005D3258
                                                                                                                                • Part of subcall function 005D31F9: __CxxThrowException@8.LIBCMT ref: 005D326A
                                                                                                                                • Part of subcall function 005D31F9: RtlEnterCriticalSection.NTDLL(?), ref: 005D3273
                                                                                                                                • Part of subcall function 005D31F9: RtlLeaveCriticalSection.NTDLL(?), ref: 005D3289
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CriticalSectionValue$EnterErrorException@8H_prolog3H_prolog3_catchLastLeaveThrow
                                                                                                                              • String ID: \lv$\lv$\lv
                                                                                                                              • API String ID: 3824262711-4218718864
                                                                                                                              • Opcode ID: 56aa0ece9236ba82f7487c225eaf0c5477ed2cc403817d116b7db424502004bc
                                                                                                                              • Instruction ID: 87ff6bdcbb7c18c9bf9d8aa3027a24873d70cadc41dfe628f9852fbdd59976fc
                                                                                                                              • Opcode Fuzzy Hash: 56aa0ece9236ba82f7487c225eaf0c5477ed2cc403817d116b7db424502004bc
                                                                                                                              • Instruction Fuzzy Hash: 5E41F3316002868FCB248F39C4942EE7FA2FF55311F14856FD8968B381D730CA55CBA2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00422376 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0042237D
                                                                                                                                • Part of subcall function 00420099: __EH_prolog3.LIBCMT ref: 004200A0
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: FolderPath$Removed! %d$UninstallFolders
                                                                                                                              • API String ID: 431132790-11669486
                                                                                                                              • Opcode ID: 216ef09120e3c3e10b2aed0a647c6dedcf0eb063ebf124e8d1f2b7b996ad4821
                                                                                                                              • Instruction ID: 1f25a8f78b31a01330cedd8b0f878c44fc4b09969ae298907611d9b41c84de9b
                                                                                                                              • Opcode Fuzzy Hash: 216ef09120e3c3e10b2aed0a647c6dedcf0eb063ebf124e8d1f2b7b996ad4821
                                                                                                                              • Instruction Fuzzy Hash: 1D41E370900616AFCB04EFA9CD926AEBB74BF14318F50412FF515A72D2CB786A44CB99
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00488164 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0048816B
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0048BA06: __EH_prolog3.LIBCMT ref: 0048BA0D
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                                • Part of subcall function 0048B96F: __EH_prolog3.LIBCMT ref: 0048B976
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_memcpy_s
                                                                                                                              • String ID: %s > %s$On Finish$On Start
                                                                                                                              • API String ID: 1663610674-2316300774
                                                                                                                              • Opcode ID: 129cba8ad970f4b1f6bcccfab5a3e43e6d706647ee7d6fcc26fa50d970f0c97e
                                                                                                                              • Instruction ID: 646fa91338fe9db11bf972bf1dbc2578417da251673459d34939e2a263e9c43a
                                                                                                                              • Opcode Fuzzy Hash: 129cba8ad970f4b1f6bcccfab5a3e43e6d706647ee7d6fcc26fa50d970f0c97e
                                                                                                                              • Instruction Fuzzy Hash: 3241A271D006059FCB01EFA9C946AAEBBF4EF45314F14055EE150B73A2DB389D00CBAA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0044E295 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0044E29C
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 00405B1F: __EH_prolog3.LIBCMT ref: 00405B26
                                                                                                                                • Part of subcall function 0041E239: __mbsinc.LIBCMT ref: 0041E25A
                                                                                                                              • _strlen.LIBCMT ref: 0044E301
                                                                                                                                • Part of subcall function 00403C07: _strnlen.LIBCMT ref: 00403C37
                                                                                                                                • Part of subcall function 00403C07: _memcpy_s.LIBCMT ref: 00403C6B
                                                                                                                                • Part of subcall function 005B5A3A: __waccess_s.LIBCMT ref: 005B5A45
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$__mbsinc__waccess_s_memcpy_s_strlen_strnlen
                                                                                                                              • String ID: .bak$.bak%d
                                                                                                                              • API String ID: 252054876-745829535
                                                                                                                              • Opcode ID: f2798abd04e773b3f924161f2cbc9808147c7744cdd3c33be7328fcbd6f29a78
                                                                                                                              • Instruction ID: a6629165de4a08371d3567a7239a9dfcf3a6bd31bf3181d3c83161df220a6890
                                                                                                                              • Opcode Fuzzy Hash: f2798abd04e773b3f924161f2cbc9808147c7744cdd3c33be7328fcbd6f29a78
                                                                                                                              • Instruction Fuzzy Hash: 7441707180014DDBDB05EBE5CC51AEEB778AF51328F14025EF625B62D2DA386A04CB69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00450571 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00450578
                                                                                                                                • Part of subcall function 00405AB7: __mbsinc.LIBCMT ref: 00405AF2
                                                                                                                                • Part of subcall function 0040C75B: __EH_prolog3.LIBCMT ref: 0040C762
                                                                                                                                • Part of subcall function 00405B76: __EH_prolog3.LIBCMT ref: 00405B7D
                                                                                                                              • _strlen.LIBCMT ref: 00450631
                                                                                                                                • Part of subcall function 00403C07: _strnlen.LIBCMT ref: 00403C37
                                                                                                                                • Part of subcall function 00403C07: _memcpy_s.LIBCMT ref: 00403C6B
                                                                                                                              Strings
                                                                                                                              • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 0045065D
                                                                                                                              • LocalMachine, xrefs: 00450650
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$__mbsinc_memcpy_s_strlen_strnlen
                                                                                                                              • String ID: LocalMachine$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                                                                                                                              • API String ID: 1156756648-2878631348
                                                                                                                              • Opcode ID: cb32c6c4199eddd9a5e64275ed53709d80e8604ef014715f5fb092e4c0a40a5f
                                                                                                                              • Instruction ID: 728b704b949a38a5dc9944357a540339e8ac530d097af4ef2e0b4df00097c061
                                                                                                                              • Opcode Fuzzy Hash: cb32c6c4199eddd9a5e64275ed53709d80e8604ef014715f5fb092e4c0a40a5f
                                                                                                                              • Instruction Fuzzy Hash: 6B417271801048EBDB04EFE5CC55EEFBB78AF61318F10815EB516B72D2DA385A05CBA9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004D62B9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 004D62DE
                                                                                                                              • GetSysColor.USER32(00000014), ref: 004D6328
                                                                                                                              • CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 004D637B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: BitmapColorCreate_memset
                                                                                                                              • String ID: (
                                                                                                                              • API String ID: 3930187609-3887548279
                                                                                                                              • Opcode ID: 216ce0dca380e9d8f3a7c483cf183c3586b77cb0e7f2202218da1c2f3407897c
                                                                                                                              • Instruction ID: d3e4e40b265b3f4b0f2ce9cef43c4a227e7a8af8d986203458eb2ef81ac037a8
                                                                                                                              • Opcode Fuzzy Hash: 216ce0dca380e9d8f3a7c483cf183c3586b77cb0e7f2202218da1c2f3407897c
                                                                                                                              • Instruction Fuzzy Hash: C921F531A10258DFEB04CFB8CC16BEDBBF8AB95700F00846EE546E7281DA355A48CB65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004A6553 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004A655A
                                                                                                                                • Part of subcall function 004A1C10: __EH_prolog3.LIBCMT ref: 004A1C17
                                                                                                                                • Part of subcall function 004150D3: __EH_prolog3.LIBCMT ref: 004150DA
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415183
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415210
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415231
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415255
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415275
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _strlen$H_prolog3
                                                                                                                              • String ID: ListType$MultiSelect$Sorted
                                                                                                                              • API String ID: 2883720156-1327083446
                                                                                                                              • Opcode ID: 6cfd3cd8378ca744752cce5539f7a927869b5b290ab7c3d931e48ca329dcacba
                                                                                                                              • Instruction ID: 3fa6e366d7b328a63d6a96c0a2a15c3577d2020135bf5bcc21d6a37d6ff21e8d
                                                                                                                              • Opcode Fuzzy Hash: 6cfd3cd8378ca744752cce5539f7a927869b5b290ab7c3d931e48ca329dcacba
                                                                                                                              • Instruction Fuzzy Hash: 60118A31900108BBCF15BFA1CC56EDF3F6AAF45318F008429BA186B192DB75DA14CBA8
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004A8516 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004A851D
                                                                                                                                • Part of subcall function 004A1C10: __EH_prolog3.LIBCMT ref: 004A1C17
                                                                                                                                • Part of subcall function 004150D3: __EH_prolog3.LIBCMT ref: 004150DA
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415183
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415210
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415231
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415255
                                                                                                                                • Part of subcall function 004150D3: _strlen.LIBCMT ref: 00415275
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _strlen$H_prolog3
                                                                                                                              • String ID: EndID$Group$StartID
                                                                                                                              • API String ID: 2883720156-2190418817
                                                                                                                              • Opcode ID: 6ad35977dcf7acc4385a170120fef7c0afdfaa9875c5d78e63b3b08d17024b47
                                                                                                                              • Instruction ID: 4f550db60bc2854704c601f39d4e7a7cf6bfdfa23b9dd1421b209e0b60aa2067
                                                                                                                              • Opcode Fuzzy Hash: 6ad35977dcf7acc4385a170120fef7c0afdfaa9875c5d78e63b3b08d17024b47
                                                                                                                              • Instruction Fuzzy Hash: 54113335500108BBCF15BFA1CC56ECE3F6AEF45318F408429BA186B192DB75DB55CBA8
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0046C3CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0046C3D2
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • GetProcAddress.KERNEL32(00000000,MsiVerifyPackageA), ref: 0046C40F
                                                                                                                              • lua_pushboolean.LUA5.1(?,00000000,?,00001068), ref: 0046C445
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$lua_remove.$AddressProclua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushboolean.lua_pushstring.lua_tolstring.lua_type.
                                                                                                                              • String ID: MsiVerifyPackageA
                                                                                                                              • API String ID: 4118008204-617025837
                                                                                                                              • Opcode ID: 95bcfcce48990d69094c7a7dd4128b17447598bf75a38b1478d8abdf22871c4c
                                                                                                                              • Instruction ID: 05ac26b780cb0604726968fe31a00a0882ec082fafccb4a282dc66d30486d7ea
                                                                                                                              • Opcode Fuzzy Hash: 95bcfcce48990d69094c7a7dd4128b17447598bf75a38b1478d8abdf22871c4c
                                                                                                                              • Instruction Fuzzy Hash: 9B01F771A10610A7DB00BB728C56BBF31299F91309F44452AB815E72C3FE7DDE0282AF
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004A25B3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetStockObject.GDI32(00000011), ref: 004A25F4
                                                                                                                              • GetObjectA.GDI32(?,0000003C,z&J), ref: 004A2609
                                                                                                                              • CreateFontIndirectA.GDI32(z&J), ref: 004A2613
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Object$CreateFontIndirectStock
                                                                                                                              • String ID: z&J
                                                                                                                              • API String ID: 3061784605-4092600126
                                                                                                                              • Opcode ID: b1e28c541fa733d3290d139a2fc9233dc343d6ecbefe1a576e47b4319e408a91
                                                                                                                              • Instruction ID: d492d361b471aba2dfbe452061f2eec14d66e9ddc0ec44344f4b0833b288f7a5
                                                                                                                              • Opcode Fuzzy Hash: b1e28c541fa733d3290d139a2fc9233dc343d6ecbefe1a576e47b4319e408a91
                                                                                                                              • Instruction Fuzzy Hash: A101D471901204EFDB14EFA4CD49FEE77A8BF15704F00406AB50297291EB789E01C798
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00458453 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00458469
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00458479
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                              • API String ID: 1646373207-1355242751
                                                                                                                              • Opcode ID: 809e379261778a22049dc7cd900d6a16dc9b88353652d0116b8e4f2c6b3020c2
                                                                                                                              • Instruction ID: 1ff13905a51415e075afe50281d86705b5fc59e357cd74f0587d07b2c5f40283
                                                                                                                              • Opcode Fuzzy Hash: 809e379261778a22049dc7cd900d6a16dc9b88353652d0116b8e4f2c6b3020c2
                                                                                                                              • Instruction Fuzzy Hash: 0FF0A7302443136AEB30AB75AC05B6725995B02753F01C42FBD06F5581FF58C8849515
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004584C3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004584D4
                                                                                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004584E4
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                              • API String ID: 1646373207-3689287502
                                                                                                                              • Opcode ID: 7dbde9df1455f64e515b17baf0241a023638ab90d69f93a19855e6eec9b483c7
                                                                                                                              • Instruction ID: 1339a3e163044292a2d6352339026d89d749280eecb5ffce3570e7c95204ada9
                                                                                                                              • Opcode Fuzzy Hash: 7dbde9df1455f64e515b17baf0241a023638ab90d69f93a19855e6eec9b483c7
                                                                                                                              • Instruction Fuzzy Hash: 95E09272258312A6EB60AF757C05BE723CC9F01712B05442FBD01E2281FE68DE459558
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004CC5B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,0000000C,?,004CC6FC,00450998,00000000,0067C48C,0000002E,00450998,00000000,?,?,-00000010,0067C48C,000000FF), ref: 004CC5CB
                                                                                                                              • GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedA), ref: 004CC5DB
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                                              • String ID: GetFileAttributesTransactedA$kernel32.dll
                                                                                                                              • API String ID: 1646373207-3426858862
                                                                                                                              • Opcode ID: ca72214b1d173978ed10eca5fa06c6926e6a333da5d28cc2a4b38bbff4a888cd
                                                                                                                              • Instruction ID: eff63673d26a5773e27f7028ad22434c107f854985b6ad7336fb4b345ecede4b
                                                                                                                              • Opcode Fuzzy Hash: ca72214b1d173978ed10eca5fa06c6926e6a333da5d28cc2a4b38bbff4a888cd
                                                                                                                              • Instruction Fuzzy Hash: 15F0A035208214FBCB601FA4DC08FA77B9EAF04761F04942FF808E2560CB75C850DA5C
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004CC609 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,004CCA39,?,?,?,?), ref: 004CC61B
                                                                                                                              • GetProcAddress.KERNEL32(00000000,SetFileAttributesTransactedA), ref: 004CC62B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                                              • String ID: SetFileAttributesTransactedA$kernel32.dll
                                                                                                                              • API String ID: 1646373207-2148319600
                                                                                                                              • Opcode ID: 9c08c0872df6669f508016dbc777ecfb01d364b7acf23875c265820d3ef64a2a
                                                                                                                              • Instruction ID: e6e7da15563c68cb6470ea20513956ac45543a69c34b78db2af607744c11e715
                                                                                                                              • Opcode Fuzzy Hash: 9c08c0872df6669f508016dbc777ecfb01d364b7acf23875c265820d3ef64a2a
                                                                                                                              • Instruction Fuzzy Hash: 7FF0E531304200EBCB619FA8ED08FA377DDAB04B51F04602FF808C1550C675C850EA59
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004741EB Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • luaL_openlib.LUA5.1(00000005,DlgStaticText,00000005,00000000), ref: 0047422D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: L_openlib.
                                                                                                                              • String ID: DlgStaticText$GetProperties$SetProperties
                                                                                                                              • API String ID: 3969157368-645260892
                                                                                                                              • Opcode ID: a290a65a30caca169974793a87624b075e17a436115033dc1d64602be31e8c24
                                                                                                                              • Instruction ID: b22a9d3b8687bd467980c7927fa641c4572775c43c47ab89fe9e9b867a45fb94
                                                                                                                              • Opcode Fuzzy Hash: a290a65a30caca169974793a87624b075e17a436115033dc1d64602be31e8c24
                                                                                                                              • Instruction Fuzzy Hash: 71F01970D00209AF8F04EFA9C54A5FE7FF8EB49744B50845EE015A7241D7B457098F99
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004602CF Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • luaL_openlib.LUA5.1(00000005,DlgRadioButton,00000005,00000000), ref: 00460311
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: L_openlib.
                                                                                                                              • String ID: DlgRadioButton$GetProperties$SetProperties
                                                                                                                              • API String ID: 3969157368-2764889335
                                                                                                                              • Opcode ID: 2fbab99d4c9cca7a735fbd0945f9b550839291bacf8b3e0679bc07e771acef0f
                                                                                                                              • Instruction ID: d0bef29211921e77e188d1a125ccf3f0f12cf8afbaee966386ff1e9962906c27
                                                                                                                              • Opcode Fuzzy Hash: 2fbab99d4c9cca7a735fbd0945f9b550839291bacf8b3e0679bc07e771acef0f
                                                                                                                              • Instruction Fuzzy Hash: 6FF01970D00209AF8F04EFA9C8465EE7FF4EB49304B50405EE415B7241E7B467098FA9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00480551 Relevance: 6.1, APIs: 4, Instructions: 139COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _strlen.LIBCMT ref: 00480568
                                                                                                                              • _strlen.LIBCMT ref: 0048058A
                                                                                                                                • Part of subcall function 0040C40D: _memmove_s.LIBCMT ref: 0040C41C
                                                                                                                                • Part of subcall function 0040A123: _memcpy_s.LIBCMT ref: 0040A132
                                                                                                                              • _strlen.LIBCMT ref: 004805CA
                                                                                                                              • _strlen.LIBCMT ref: 0048068B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _strlen$_memcpy_s_memmove_s
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 113752263-0
                                                                                                                              • Opcode ID: a6d2dd262cadd2bbc3807b2a38674347466c67b7b1e3e8040c06a36fcba0e8ab
                                                                                                                              • Instruction ID: 7900f2dea71fa849a8ec511d31eff4f1f4b64b5e13e753643e85aa7c0b6b3f71
                                                                                                                              • Opcode Fuzzy Hash: a6d2dd262cadd2bbc3807b2a38674347466c67b7b1e3e8040c06a36fcba0e8ab
                                                                                                                              • Instruction Fuzzy Hash: 91418272D10229EFCF51EF98D8449AEBBB4FF44310F14481BE815B7201D7386A559F98
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005B85E5 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2782032738-0
                                                                                                                              • Opcode ID: e30517e5eed2b78d5987cd9bcfbe1bcfaffbb4bb8e8c8801428c975d6827f4bc
                                                                                                                              • Instruction ID: 5adb804a9426d1b3b2281c17dca9d19d36d4a8c09956aca643e959a9b1f86492
                                                                                                                              • Opcode Fuzzy Hash: e30517e5eed2b78d5987cd9bcfbe1bcfaffbb4bb8e8c8801428c975d6827f4bc
                                                                                                                              • Instruction Fuzzy Hash: D441AE31A006059BDB249FA9C8846FEBFB9FFA0364B38A529E41597240DF71FE41CB50
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0045C3FB Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0045C402
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                              • lua_gettop.LUA5.1(?,?,00000002), ref: 0045C440
                                                                                                                              • lua_isnumber.LUA5.1(?,00000003), ref: 0045C450
                                                                                                                              • lua_pushstring.LUA5.1(?,?), ref: 0045C531
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$lua_gettop.lua_pushstring.lua_remove.$lua_getfield.lua_gettable.lua_isnumber.lua_pcall.lua_tolstring.lua_type.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2155798388-0
                                                                                                                              • Opcode ID: 873ccb128f9632f23a3facc55d4f562449e0385c17cb1957501116e979423948
                                                                                                                              • Instruction ID: 994a313eae519e7559076e8f90161cd1989d5b4ecc068049e11cdd8b5c91e6d7
                                                                                                                              • Opcode Fuzzy Hash: 873ccb128f9632f23a3facc55d4f562449e0385c17cb1957501116e979423948
                                                                                                                              • Instruction Fuzzy Hash: 26417E71D00209AADB05FBF5C992AEEBB74AF15308F10442EF511762D3EB785A09CB69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0040A160 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Rect$Offset$H_prolog3_Intersect
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 356646339-0
                                                                                                                              • Opcode ID: 7fe238366689dbe35e59c5b331e0044029d9fb2150e6b98c08adb5ee4964ff22
                                                                                                                              • Instruction ID: 15408a9fb60d54da1a8cb47ae4eb9be6a8f75fe6670de7a4edd4f6701c09edab
                                                                                                                              • Opcode Fuzzy Hash: 7fe238366689dbe35e59c5b331e0044029d9fb2150e6b98c08adb5ee4964ff22
                                                                                                                              • Instruction Fuzzy Hash: 2441E571D106199FCF14DFA8C984AEEBBB9BF48304F04426EE51AB3250DB34AA45CF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004B02FF Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • IsWindow.USER32(?), ref: 004B0327
                                                                                                                              • GetClientRect.USER32(?,?), ref: 004B0363
                                                                                                                                • Part of subcall function 004B871B: GetDlgItem.USER32(?,?), ref: 004B872C
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 004B037F
                                                                                                                                • Part of subcall function 004B791F: ScreenToClient.USER32(?,?), ref: 004B7930
                                                                                                                                • Part of subcall function 004B791F: ScreenToClient.USER32(?,?), ref: 004B793D
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 004B0396
                                                                                                                                • Part of subcall function 004B890D: MoveWindow.USER32(?,?,?,?,?,?), ref: 004B892A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$ClientRect$Screen$ItemMove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 198861566-0
                                                                                                                              • Opcode ID: b08d71743050f5cc22f8af101bcaccce2a847cfeb0194766bb56d51693f9ad9e
                                                                                                                              • Instruction ID: 345ed08e0f9f4b7c531e0a2a9b45f16450f0634dd90b742dbe78580ebffb2026
                                                                                                                              • Opcode Fuzzy Hash: b08d71743050f5cc22f8af101bcaccce2a847cfeb0194766bb56d51693f9ad9e
                                                                                                                              • Instruction Fuzzy Hash: 8941C6B1D00219AFCF04DFB9C955AEEBBF9BF48304F10452EE516A3250EB756A10CB64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004AC239 Relevance: 6.1, APIs: 4, Instructions: 79windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ClientScreen$MessageParentPost
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1061243768-0
                                                                                                                              • Opcode ID: aeacedc40a1869bc83cf260dc0ebb8eb7ccbe6e07688114a6ca554fc2890f868
                                                                                                                              • Instruction ID: 06363d9323e0d559d1244f2b1486fb16fc487abe3b3adec5bb0e7285aafd6f62
                                                                                                                              • Opcode Fuzzy Hash: aeacedc40a1869bc83cf260dc0ebb8eb7ccbe6e07688114a6ca554fc2890f868
                                                                                                                              • Instruction Fuzzy Hash: 5821F57B911600AFDF654B98C8C8ABB76B9EF26300F14486BE846D1661D73CDC40D729
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0049E675 Relevance: 6.1, APIs: 4, Instructions: 75windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ClientScreen$MessageParentPost
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1061243768-0
                                                                                                                              • Opcode ID: eab27d46aa6ad2ff844ee8ea324544f74d84520d5aa5dac851b688db8e48c040
                                                                                                                              • Instruction ID: 4bf5e70ec8c75705513fa75a3a6835e4446892fcbcd13e6d91ae5b21b3cd688c
                                                                                                                              • Opcode Fuzzy Hash: eab27d46aa6ad2ff844ee8ea324544f74d84520d5aa5dac851b688db8e48c040
                                                                                                                              • Instruction Fuzzy Hash: 9F21D171511110ABEF298B9AC8889BF7EADEF18310F54083BF851D1671EA78DC50DB29
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00448517 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ClientToScreen.USER32(?,?), ref: 00448531
                                                                                                                              • WindowFromPoint.USER32(?,?), ref: 0044853D
                                                                                                                              • GetActiveWindow.USER32 ref: 0044856B
                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 0044859F
                                                                                                                                • Part of subcall function 004484F2: InvalidateRect.USER32(00000000,00000000,00000001,00441A29), ref: 00448510
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InvalidateRectWindow$ActiveClientFromPointScreen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2221759807-0
                                                                                                                              • Opcode ID: 005262f34e046df46182577cbae4920de490abcf23c28c87a279b96a4720d46a
                                                                                                                              • Instruction ID: 971592695af4aa4a5c26c97fcb9972cac0caad2c20eb2311cf1197bcaa40fd2e
                                                                                                                              • Opcode Fuzzy Hash: 005262f34e046df46182577cbae4920de490abcf23c28c87a279b96a4720d46a
                                                                                                                              • Instruction Fuzzy Hash: 46215CB1800604EBEB219FA5C848AAFB7F9FF94305F10852FE48682250DF789D40DF69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004CA253 Relevance: 6.1, APIs: 4, Instructions: 61threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004CA25A
                                                                                                                                • Part of subcall function 004C188A: __EH_prolog3.LIBCMT ref: 004C1891
                                                                                                                              • __strdup.LIBCMT ref: 004CA27C
                                                                                                                              • GetCurrentThread.KERNEL32 ref: 004CA2A9
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 004CA2B2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CurrentH_prolog3Thread$__strdup
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4206445780-0
                                                                                                                              • Opcode ID: c0329751fec8586060d734211a3b4b4d52b161ede445a0e91d394c00de02558f
                                                                                                                              • Instruction ID: 9cd8d915c63df98dd955c826410fb9da4a31eeb8c51ae84d751a36a164e24194
                                                                                                                              • Opcode Fuzzy Hash: c0329751fec8586060d734211a3b4b4d52b161ede445a0e91d394c00de02558f
                                                                                                                              • Instruction Fuzzy Hash: 9631DDB4900B008ED7619F7AC04578AFBE9BFA4704F10890FD1EA87722DBB4A401CF46
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004B0575 Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004B057C
                                                                                                                              • IsWindow.USER32(?), ref: 004B058B
                                                                                                                              • SendMessageA.USER32(?,000000C5,00000000,00000000), ref: 004B05A8
                                                                                                                                • Part of subcall function 004B8F6B: __EH_prolog3.LIBCMT ref: 004B8F72
                                                                                                                                • Part of subcall function 004B8F6B: GetWindowTextLengthA.USER32(?), ref: 004B8F82
                                                                                                                                • Part of subcall function 00442ADC: SendMessageA.USER32(?,000000B1,?,?), ref: 00442AF7
                                                                                                                                • Part of subcall function 00442ADC: SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00442B0A
                                                                                                                              • SendMessageA.USER32(?,000000C2,00000000,?), ref: 004B05D4
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$H_prolog3Window$LengthText
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1634938522-0
                                                                                                                              • Opcode ID: f5706f71f95ab9cd4b7e1098afe1129a5b15131fe7e421ad1d3583af26d102f8
                                                                                                                              • Instruction ID: 486be45daddcbfaa45da6146378adfa51eab473f8a37d5c0ca814d5b3a2eeef1
                                                                                                                              • Opcode Fuzzy Hash: f5706f71f95ab9cd4b7e1098afe1129a5b15131fe7e421ad1d3583af26d102f8
                                                                                                                              • Instruction Fuzzy Hash: AD01A271100601ABE734AF35CD06FEB7AAABF90300F00461EB65A665E1EE707A00DA54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0040C578 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • lua_getfield.LUA5.1(0000C264,FFFFD8EE,?,80000000,?,?,00403F08,?), ref: 0040C58C
                                                                                                                              • lua_isnumber.LUA5.1(0000C264,000000FF,0000C264,FFFFD8EE,?,80000000,?,?,00403F08,?), ref: 0040C596
                                                                                                                              • lua_tonumber.LUA5.1(0000C264,000000FF), ref: 0040C5A7
                                                                                                                              • lua_remove.LUA5.1(0000C264,000000FF), ref: 0040C5BA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_getfield.lua_isnumber.lua_remove.lua_tonumber.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2047693980-0
                                                                                                                              • Opcode ID: 6751d414c27cd720c12b7a4c1137f2ce4e9722f4823f3a350f3f74a90acb1605
                                                                                                                              • Instruction ID: 34385ceb871f78d4ee620e2db635cec28b1108594c3489dbcedb0548f7da87a4
                                                                                                                              • Opcode Fuzzy Hash: 6751d414c27cd720c12b7a4c1137f2ce4e9722f4823f3a350f3f74a90acb1605
                                                                                                                              • Instruction Fuzzy Hash: 4AF0E23210821477CA252B6BDD03C6B3E92CE81734320433FF439612E2EE36F91095A8
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0040C5D4 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • lua_getfield.LUA5.1(0000C264,FFFFD8EE,00000001,?,?,?,00440D2C,?,?,?,00404344,00000000,00000000,00000000,00000000,000000B8), ref: 0040C5E8
                                                                                                                              • lua_type.LUA5.1(0000C264,000000FF,0000C264,FFFFD8EE,00000001,?,?,?,00440D2C,?,?,?,00404344,00000000,00000000,00000000), ref: 0040C5F2
                                                                                                                              • lua_toboolean.LUA5.1(0000C264,000000FF), ref: 0040C604
                                                                                                                              • lua_remove.LUA5.1(0000C264,000000FF), ref: 0040C612
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_getfield.lua_remove.lua_toboolean.lua_type.
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2181360-0
                                                                                                                              • Opcode ID: 0a9e932b7bf75bf36c58b385ba5dce1262237980049fcf2d383cccddab73c46d
                                                                                                                              • Instruction ID: 506db1f169f80a95bb247d8ae406d5bc8007ee0d7822be24c13746e78d8bbede
                                                                                                                              • Opcode Fuzzy Hash: 0a9e932b7bf75bf36c58b385ba5dce1262237980049fcf2d383cccddab73c46d
                                                                                                                              • Instruction Fuzzy Hash: 6CF08C3210C1147BCA252A5FED02C6B7B96DA92735320472FF539A12E6DE36B910A5A8
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005FA420 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 372COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: \lv$\lv
                                                                                                                              • API String ID: 431132790-1248172524
                                                                                                                              • Opcode ID: 2e51a2150feb385538aaae3566f0ab3492fbcb1a3a7e8d4b7917b51b832c5377
                                                                                                                              • Instruction ID: 7801575469546bdde4255b3897a8a7e435586fe5db7334641d7060669f26387e
                                                                                                                              • Opcode Fuzzy Hash: 2e51a2150feb385538aaae3566f0ab3492fbcb1a3a7e8d4b7917b51b832c5377
                                                                                                                              • Instruction Fuzzy Hash: 24F16A71D0025ACFCB14DFA8C8915EDBBB1FF58310F14816EE959AB351E7389A42CB51
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004B2132 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 295COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: <%K$%K
                                                                                                                              • API String ID: 431132790-1487158298
                                                                                                                              • Opcode ID: 662d31808d6dccbb69c9eb0cce71acfc006ab44d4e00da3550eb790365284d98
                                                                                                                              • Instruction ID: c679ab9cbe7489c915a3320d70f03a24783c85d2b4814257e70945c8ae3cc389
                                                                                                                              • Opcode Fuzzy Hash: 662d31808d6dccbb69c9eb0cce71acfc006ab44d4e00da3550eb790365284d98
                                                                                                                              • Instruction Fuzzy Hash: 7A913E7290011DAADF22DA95CE85EFFBBBCEB45700F104127F601F5180DAB89A45DBB6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00442467 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0044246E
                                                                                                                              • _strlen.LIBCMT ref: 004426A0
                                                                                                                                • Part of subcall function 004B4C5C: __CxxThrowException@8.LIBCMT ref: 004B4C72
                                                                                                                                • Part of subcall function 004B4C5C: __EH_prolog3.LIBCMT ref: 004B4C7F
                                                                                                                                • Part of subcall function 00405B1F: __EH_prolog3.LIBCMT ref: 00405B26
                                                                                                                                • Part of subcall function 00405B76: __EH_prolog3.LIBCMT ref: 00405B7D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$Exception@8Throw_strlen
                                                                                                                              • String ID: NoName
                                                                                                                              • API String ID: 2154318092-1084695559
                                                                                                                              • Opcode ID: 93774231e1de5c99e372f070e253fd5cdc666b3d2ba70f37669f898e7253d2f0
                                                                                                                              • Instruction ID: b2e536e41ba0246a01a23077f7dde74dda685924ba56b07aaa4d3ba52b402951
                                                                                                                              • Opcode Fuzzy Hash: 93774231e1de5c99e372f070e253fd5cdc666b3d2ba70f37669f898e7253d2f0
                                                                                                                              • Instruction Fuzzy Hash: 8B91D371900A06DFDB24DFA6C69147EB3B1FF44328790062FF152A6AD1C7B8A981CF59
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0048E172 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0048E179
                                                                                                                                • Part of subcall function 00495D98: __EH_prolog3.LIBCMT ref: 00495D9F
                                                                                                                                • Part of subcall function 0048E05E: __EH_prolog3.LIBCMT ref: 0048E065
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                              Strings
                                                                                                                              • IDS_CTRL_STATICTEXT_TOPINSTRUCTIONS, xrefs: 0048E1F4
                                                                                                                              • IDS_CTRL_STATICTEXT_BOTTOMINSTRUCTIONS, xrefs: 0048E412
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_malloc
                                                                                                                              • String ID: IDS_CTRL_STATICTEXT_BOTTOMINSTRUCTIONS$IDS_CTRL_STATICTEXT_TOPINSTRUCTIONS
                                                                                                                              • API String ID: 1683881009-824710809
                                                                                                                              • Opcode ID: 6bcbede1c7713aaa10d2d132d8365fedd9982844dbc36baf65b30a92a9d1deab
                                                                                                                              • Instruction ID: 2999f2324eeecc2a0eadd8b716597cb2d5a6676bb906e287740ee8e7becb54c9
                                                                                                                              • Opcode Fuzzy Hash: 6bcbede1c7713aaa10d2d132d8365fedd9982844dbc36baf65b30a92a9d1deab
                                                                                                                              • Instruction Fuzzy Hash: 59A15FB1D00606DFDB14DFBAC5416AEB7F4BF09314F10461EE169A32D1DB786A01CBA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004245B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004245B7
                                                                                                                                • Part of subcall function 00440C8A: __EH_prolog3.LIBCMT ref: 00440C91
                                                                                                                              • _strlen.LIBCMT ref: 004246AC
                                                                                                                                • Part of subcall function 00403C07: _strnlen.LIBCMT ref: 00403C37
                                                                                                                                • Part of subcall function 00403C07: _memcpy_s.LIBCMT ref: 00403C6B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_memcpy_s_strlen_strnlen
                                                                                                                              • String ID: Register font: %s, %s
                                                                                                                              • API String ID: 1892780499-1918436487
                                                                                                                              • Opcode ID: 3031135e3dc7cb32d035659fa0f86f9abc91641544572cc412eb616cec5fd7f3
                                                                                                                              • Instruction ID: 3be5a281e179cc889407efed01865bd8deb8d50b7fc2c557ad6e33542b7f63c8
                                                                                                                              • Opcode Fuzzy Hash: 3031135e3dc7cb32d035659fa0f86f9abc91641544572cc412eb616cec5fd7f3
                                                                                                                              • Instruction Fuzzy Hash: 8F519071D001499FCB04EBF5CC96AEEBB74AF51318F54416EF112B72D2DA386A04CB69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004220BA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004220C1
                                                                                                                                • Part of subcall function 00420099: __EH_prolog3.LIBCMT ref: 004200A0
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: Filename$UninstallSupportFiles
                                                                                                                              • API String ID: 431132790-55940283
                                                                                                                              • Opcode ID: 1277dcaa622907119764ad5e5faea075ac53874c9df902febed5b4e412c3f1a1
                                                                                                                              • Instruction ID: 47b24c476e0377023b4d4f50175e69a259599bde5f67da7d036f474b1a809ac7
                                                                                                                              • Opcode Fuzzy Hash: 1277dcaa622907119764ad5e5faea075ac53874c9df902febed5b4e412c3f1a1
                                                                                                                              • Instruction Fuzzy Hash: EA41B670A006259BCF14EFA9D9116BE77F5BF54314F10421FE111A73D2CBBC5A418B9A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00422218 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0042221F
                                                                                                                                • Part of subcall function 00420099: __EH_prolog3.LIBCMT ref: 004200A0
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: Filename$UninstallShortcuts
                                                                                                                              • API String ID: 431132790-4021962188
                                                                                                                              • Opcode ID: fc7b65e8f180523d8cff9d306d9e2f527034efedd4be07ab3745435a35caa7a6
                                                                                                                              • Instruction ID: 42fc102d8ea62ab7d67fa21a25c247ed79968e0ed36cf2968324f5bd4d24e061
                                                                                                                              • Opcode Fuzzy Hash: fc7b65e8f180523d8cff9d306d9e2f527034efedd4be07ab3745435a35caa7a6
                                                                                                                              • Instruction Fuzzy Hash: DC41D470A00625DBCF14EFA9D9016AEBBE5AF54314F14024FE415A73D2CBBC5A40CBAE
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004264B1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004264B8
                                                                                                                                • Part of subcall function 0041955F: __EH_prolog3.LIBCMT ref: 00419566
                                                                                                                                • Part of subcall function 0040C75B: __EH_prolog3.LIBCMT ref: 0040C762
                                                                                                                                • Part of subcall function 0043A00F: __EH_prolog3.LIBCMT ref: 0043A016
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                                • Part of subcall function 00405D33: __EH_prolog3.LIBCMT ref: 00405D3A
                                                                                                                                • Part of subcall function 0040C75B: _strlen.LIBCMT ref: 0040C79F
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_memcpy_s_strlen
                                                                                                                              • String ID: Run project event: $Start project event:
                                                                                                                              • API String ID: 4110081478-2638573925
                                                                                                                              • Opcode ID: 9af03919ad98ea2ff44c1bdc72abefa017b8349485456150be635f3fb2498c9e
                                                                                                                              • Instruction ID: 5cc4c3c62b65d79466555cef047e22551e79e3c5d189eaad7bd2e67f678267b0
                                                                                                                              • Opcode Fuzzy Hash: 9af03919ad98ea2ff44c1bdc72abefa017b8349485456150be635f3fb2498c9e
                                                                                                                              • Instruction Fuzzy Hash: AF31FAB2900149EFDB00DFACCC42AAE7BA8AF15334F05425FF114A73D2DB38594087AA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004162F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004162FF
                                                                                                                                • Part of subcall function 005B5F48: __mbschr_l.LIBCMT ref: 005B5F55
                                                                                                                                • Part of subcall function 00401614: _memcpy_s.LIBCMT ref: 00401664
                                                                                                                                • Part of subcall function 004162A0: __EH_prolog3.LIBCMT ref: 004162A7
                                                                                                                                • Part of subcall function 00414641: __EH_prolog3.LIBCMT ref: 00414648
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$__mbschr_l_memcpy_s
                                                                                                                              • String ID: ?$encoding
                                                                                                                              • API String ID: 1563950669-2818917450
                                                                                                                              • Opcode ID: 198f5a37f27b20e401cef653bdcc962bb93af6b701c9a748b9e95fe7af228fd1
                                                                                                                              • Instruction ID: 8beec658f47c173e54bf494b5a1f7cb827fbdb7c5fe12a14deec660935adfa82
                                                                                                                              • Opcode Fuzzy Hash: 198f5a37f27b20e401cef653bdcc962bb93af6b701c9a748b9e95fe7af228fd1
                                                                                                                              • Instruction Fuzzy Hash: 8521DE71D00218ABCB05EFE4C842AEEBBB8AF54714F50405EB415BB2D1DB786E44CBA9
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004640DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 004640E4
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                                • Part of subcall function 00459852: __EH_prolog3.LIBCMT ref: 00459859
                                                                                                                                • Part of subcall function 00459852: lua_tolstring.LUA5.1(?,?,00000000,00000000,00000000,0000000C,004082AF,?,00000002,?,00000001,?,00000002), ref: 0045988A
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0045974C: __EH_prolog3.LIBCMT ref: 00459753
                                                                                                                              • ShellExecuteA.SHELL32(?,print,?,00000000,006985B8,00000001), ref: 00464165
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$lua_remove.$ExecuteH_prolog3_catchShelllua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushstring.lua_tolstring.lua_type.
                                                                                                                              • String ID: print
                                                                                                                              • API String ID: 3443421824-366378086
                                                                                                                              • Opcode ID: 15441bc6f606fc1d2fbb40ca625243c4ae6607939cf1c96797288d8a71100e37
                                                                                                                              • Instruction ID: eba65f6731d70616b561b17330c5d0e9bf965a57260831191e73eadb3b29bd5b
                                                                                                                              • Opcode Fuzzy Hash: 15441bc6f606fc1d2fbb40ca625243c4ae6607939cf1c96797288d8a71100e37
                                                                                                                              • Instruction Fuzzy Hash: 6B21D072800204EFCF14ABA9CC46ADE7BB5AF55324F14415EF414B72E2DA784E418795
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005D638F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Xinvalid_argument_memmovestd::_
                                                                                                                              • String ID: string too long
                                                                                                                              • API String ID: 256744135-2556327735
                                                                                                                              • Opcode ID: 0629f4484b26a44fc1a56b01b1647ad36a0802f28c3f333f901848276b3a90bd
                                                                                                                              • Instruction ID: 077f7d89b475d6e683ab414d4bce797751aafec1e2986c2e42f4a95046fee9f1
                                                                                                                              • Opcode Fuzzy Hash: 0629f4484b26a44fc1a56b01b1647ad36a0802f28c3f333f901848276b3a90bd
                                                                                                                              • Instruction Fuzzy Hash: 7A11BF313002509BDB349E2D989192ABFF9FF81750B100D2FF5928B382CBB1E8068795
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0048847B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00488482
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0048BA06: __EH_prolog3.LIBCMT ref: 0048BA0D
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                                • Part of subcall function 0048B96F: __EH_prolog3.LIBCMT ref: 0048B976
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_memcpy_s
                                                                                                                              • String ID: %s > %s$On Cancel
                                                                                                                              • API String ID: 1663610674-4107358699
                                                                                                                              • Opcode ID: ae21eaec5ed2107657d045b7b07a1d06c283dbdacee6d3e73f929ce8cba5501b
                                                                                                                              • Instruction ID: c8f999d9bd459b61b5cb77a64eb0f9c51b2f0f945836efb90cde309488d13f0d
                                                                                                                              • Opcode Fuzzy Hash: ae21eaec5ed2107657d045b7b07a1d06c283dbdacee6d3e73f929ce8cba5501b
                                                                                                                              • Instruction Fuzzy Hash: AA21A470900605AFCB05FFB9C942BAEBBB5AF44714F54091EF051B7292DB385A00CBA6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004883AF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004883B6
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0048BA06: __EH_prolog3.LIBCMT ref: 0048BA0D
                                                                                                                                • Part of subcall function 004014A6: _memcpy_s.LIBCMT ref: 004014F6
                                                                                                                                • Part of subcall function 0048B96F: __EH_prolog3.LIBCMT ref: 0048B976
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_memcpy_s
                                                                                                                              • String ID: %s > %s$On Cancel
                                                                                                                              • API String ID: 1663610674-4107358699
                                                                                                                              • Opcode ID: ea2a26cc739851528c1b89963832d3021b83f2bffad37e885242eff9091fca3d
                                                                                                                              • Instruction ID: c89c011d05bc630bf2a469a0269bd86a11688692109d5cb697d4e426d6be56fe
                                                                                                                              • Opcode Fuzzy Hash: ea2a26cc739851528c1b89963832d3021b83f2bffad37e885242eff9091fca3d
                                                                                                                              • Instruction Fuzzy Hash: 5421A170900605AFCB05FFA9C942BAEBBB5AF44714F54051EF0517B292DB386A008BA6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004C6401 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: EmptyH_prolog3Rect
                                                                                                                              • String ID: ]BL
                                                                                                                              • API String ID: 1443337074-637551821
                                                                                                                              • Opcode ID: d1314e7f394a8d5293840de06f1a2fc5423b55e0776975a8a518fd1489feb5d1
                                                                                                                              • Instruction ID: af16234a0bd55b8f225354b7cc0055cc49a466b223a0746b518ddba455388b9e
                                                                                                                              • Opcode Fuzzy Hash: d1314e7f394a8d5293840de06f1a2fc5423b55e0776975a8a518fd1489feb5d1
                                                                                                                              • Instruction Fuzzy Hash: 9C31AEB0801B41CED365DF6AC58179AFAE8BFA0300F108A4FD1EA972A1DBB42144CF65
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00404384 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0040438B
                                                                                                                                • Part of subcall function 00401BAB: __EH_prolog3.LIBCMT ref: 00401BB2
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C22E
                                                                                                                                • Part of subcall function 0043C227: __EH_prolog3.LIBCMT ref: 0043C2C6
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: MSG_CONFIRM$MSG_CONFIRM_ABORT
                                                                                                                              • API String ID: 431132790-3415406682
                                                                                                                              • Opcode ID: ed91f5e3794348906fb2e5210c6d6c2ece073984418fe557395350b6e4e5c49b
                                                                                                                              • Instruction ID: b74d0410de679e83c8f4f0dc2158e86b29b409bd476c9e7865942af7c707a1c5
                                                                                                                              • Opcode Fuzzy Hash: ed91f5e3794348906fb2e5210c6d6c2ece073984418fe557395350b6e4e5c49b
                                                                                                                              • Instruction Fuzzy Hash: 5411A370A001469FCB04EBE9CD92BBD37B6AF56728F00016EF2157B2D2CB7C1900875A
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0046A4E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00459443: lua_getfield.LUA5.1(?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459455
                                                                                                                                • Part of subcall function 00459443: lua_pushstring.LUA5.1(?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459460
                                                                                                                                • Part of subcall function 00459443: lua_gettable.LUA5.1(?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459468
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459470
                                                                                                                                • Part of subcall function 00459443: lua_type.LUA5.1(?,000000FF,?,000000FE,?,000000FE,?,ResetLastError,?,FFFFD8EE,Application,?,?,004076C5,?), ref: 00459478
                                                                                                                                • Part of subcall function 00459443: lua_pcall.LUA5.1(?,00000000,00000000,00000000), ref: 0045948B
                                                                                                                                • Part of subcall function 00459443: lua_remove.LUA5.1(?,000000FF), ref: 0045949A
                                                                                                                                • Part of subcall function 004597A0: __EH_prolog3.LIBCMT ref: 004597A7
                                                                                                                                • Part of subcall function 004597A0: lua_gettop.LUA5.1(?,00000000,00000000,00000008,004076D1,?,00000002,?), ref: 004597D3
                                                                                                                              • GetProcAddress.KERNEL32(00000000,MsiCloseHandle), ref: 0046A518
                                                                                                                              • lua_pushboolean.LUA5.1(?,00000000,?,00001068), ref: 0046A54C
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lua_remove.$AddressH_prolog3Proclua_getfield.lua_gettable.lua_gettop.lua_pcall.lua_pushboolean.lua_pushstring.lua_type.
                                                                                                                              • String ID: MsiCloseHandle
                                                                                                                              • API String ID: 4025865003-1311317158
                                                                                                                              • Opcode ID: dc6e089bd59f491c7e3030d6111bb118c987abc4922721f1cfc76e1d38ede4fe
                                                                                                                              • Instruction ID: f6ef1090552a6ac81d90a0435019368be0c30177b7b8bdcdcf99600fdd8487e9
                                                                                                                              • Opcode Fuzzy Hash: dc6e089bd59f491c7e3030d6111bb118c987abc4922721f1cfc76e1d38ede4fe
                                                                                                                              • Instruction Fuzzy Hash: A7F0FC32614B10B6D60076B65C06AAF204D8FC2799B440427BC05E7242FE6DDE2745BF
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0048E05E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              • IDS_CTRL_STATICTEXT_LABEL_%.2d, xrefs: 0048E0AA
                                                                                                                              • IDS_CTRL_BUTTON_%.2d, xrefs: 0048E08C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3
                                                                                                                              • String ID: IDS_CTRL_BUTTON_%.2d$IDS_CTRL_STATICTEXT_LABEL_%.2d
                                                                                                                              • API String ID: 431132790-4255241125
                                                                                                                              • Opcode ID: 0f518fa13e8a4e84567f2e4f815177e42e85812197b579bbae6310d53bf1e8e2
                                                                                                                              • Instruction ID: a1befac484598a0effb131b5ed7314aab088a99fb4c1e66d3219876346b61753
                                                                                                                              • Opcode Fuzzy Hash: 0f518fa13e8a4e84567f2e4f815177e42e85812197b579bbae6310d53bf1e8e2
                                                                                                                              • Instruction Fuzzy Hash: 3301A2B2C00119A7CB14FBA5CC56BEE73B8BF50714F94062EB562F71C2DE785A05C668
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0049866D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 00498674
                                                                                                                                • Part of subcall function 00497EA3: __EH_prolog3.LIBCMT ref: 00497EAA
                                                                                                                                • Part of subcall function 004019B2: _strlen.LIBCMT ref: 004019C2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$_strlen
                                                                                                                              • String ID: %RadioSelection%$r|I
                                                                                                                              • API String ID: 3239654323-1081963028
                                                                                                                              • Opcode ID: d6fef407ab31b7f7d67ce250c08820895125bea95f8e71c364612086cc800022
                                                                                                                              • Instruction ID: 405d4f114293bca0a1774b08168fef44fc3748a0c1cee4de86fc29faf36e4140
                                                                                                                              • Opcode Fuzzy Hash: d6fef407ab31b7f7d67ce250c08820895125bea95f8e71c364612086cc800022
                                                                                                                              • Instruction Fuzzy Hash: ECF0F4B0544B419ADB24FF74C8067CEBAA06F00704F10055EF1D9A71C2CBF83644CB69
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 005D2668 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • std::exception::exception.LIBCMT ref: 005D2693
                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 005D26A8
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                                              • String ID: 1]
                                                                                                                              • API String ID: 4063778783-588761190
                                                                                                                              • Opcode ID: 04b04c9d25932102da9d1af3aa80f28ac78f7461938b1118d20db1635030cb8e
                                                                                                                              • Instruction ID: 4fc5dceb73d861248b0dee42824bbf973e929fa364b0b5bf0c6afa97740f0aef
                                                                                                                              • Opcode Fuzzy Hash: 04b04c9d25932102da9d1af3aa80f28ac78f7461938b1118d20db1635030cb8e
                                                                                                                              • Instruction Fuzzy Hash: 03E06575800309AADF10EF65C845ADD7FA8BF10395F10826BB42495180DB70D744CE91
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004B61E9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004B61F0
                                                                                                                                • Part of subcall function 004B3C8A: _malloc.LIBCMT ref: 004B3CA8
                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 004B6226
                                                                                                                                • Part of subcall function 004B6173: __EH_prolog3.LIBCMT ref: 004B617A
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: H_prolog3$Exception@8Throw_malloc
                                                                                                                              • String ID: 0]t
                                                                                                                              • API String ID: 623675022-2203560638
                                                                                                                              • Opcode ID: 639bd072cb463862da0b7dd6141d8e887715f74e6b4cb4b030181cfcdd3a3864
                                                                                                                              • Instruction ID: 00162f30cf395f21f0a3301171a36453b87edc4164beac87a5935079d9aacba4
                                                                                                                              • Opcode Fuzzy Hash: 639bd072cb463862da0b7dd6141d8e887715f74e6b4cb4b030181cfcdd3a3864
                                                                                                                              • Instruction Fuzzy Hash: FCE01275A4021AABDF18FFB88916AED7EB1BF04310F504A3EF118E61D1D7788B019B24
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 004E45EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 004E45F6
                                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 004E462F
                                                                                                                                • Part of subcall function 004BAEB1: ActivateActCtx.KERNEL32(?,00000000,0072C0F0,00000010,0050A8A2,UxTheme.dll,751F6910,?,0050A963,00000004,004E9366,00000000,00000004,0051D8CE), ref: 004BAED1
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ActivateAddressH_prolog3Proc
                                                                                                                              • String ID: UxTheme.dll
                                                                                                                              • API String ID: 323876227-352951104
                                                                                                                              • Opcode ID: 50166dbadba51d9da611f643c292a7bb31559f8e8c45418e29fcf56b6d0f071b
                                                                                                                              • Instruction ID: c17a6f22cd64c0ccba68aed6b89f4e65371ec8b02ce3afa5d47a7adf6a93e671
                                                                                                                              • Opcode Fuzzy Hash: 50166dbadba51d9da611f643c292a7bb31559f8e8c45418e29fcf56b6d0f071b
                                                                                                                              • Instruction Fuzzy Hash: 36E03034A002805ADB149F35991539A3BE47B84756F848146F804D7291EB7C9D418B58
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00454035 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __EH_prolog3.LIBCMT ref: 0045403C
                                                                                                                              • GetCurrentProcessId.KERNEL32(00000004), ref: 0045404C
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000001.00000002.393715427.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              • Associated: 00000001.00000002.393703721.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000742000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000769000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.0000000000771000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.393715427.00000000007BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397314333.00000000007C2000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              • Associated: 00000001.00000002.397318896.00000000007C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_1_2_400000_irsetup.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CurrentH_prolog3Process
                                                                                                                              • String ID: +DD
                                                                                                                              • API String ID: 2762645583-788365211
                                                                                                                              • Opcode ID: 9a172b0e33e9eb09d29a16857f11ef45b246f56000493d4b499e655d0b0b8697
                                                                                                                              • Instruction ID: e61632d9b028c084b646b49c2df976541f9aa02888915503c18666ccf01b4663
                                                                                                                              • Opcode Fuzzy Hash: 9a172b0e33e9eb09d29a16857f11ef45b246f56000493d4b499e655d0b0b8697
                                                                                                                              • Instruction Fuzzy Hash: 75E04FB45006118BDB18FFA8850638DBAF1AF84704F00885EE08557242EBB85E45CBA6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%